Changed IIS parser to support User-Agent with square brackets (#4910)

log2timeline · Oct 11, 2024 · fdc687c · fdc687c
1 parent fc65934
commit fdc687c
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 3 deletions.
diff --git a/plaso/parsers/text_plugins/iis.py b/plaso/parsers/text_plugins/iis.py
@@ -111,6 +111,9 @@ class WinIISTextPlugin(interface.TextPlugin):
   _URI_STEM = (pyparsing.Word(
       pyparsing.alphanums + _URI_SAFE_CHARACTERS + '$') | _BLANK)
 
+  _UA = pyparsing.Word(
+      pyparsing.alphanums + _URI_SAFE_CHARACTERS + '[]') | _BLANK
+
   # Per https://blogs.iis.net/nazim/use-of-special-characters-like-in-an-iis-url
   # IIS does not require that a query comply with RFC1738 restrictions on valid
   # URI characters
@@ -157,7 +160,7 @@ class WinIISTextPlugin(interface.TextPlugin):
       PORT.set_results_name('dest_port') +
       _USERNAME.set_results_name('cs_username') +
       _IP_ADDRESS.set_results_name('source_ip') +
-      _URI.set_results_name('user_agent') +
+      _UA.set_results_name('user_agent') +
       _INTEGER.set_results_name('sc_status') +
       _INTEGER.set_results_name('sc_substatus') +
       _INTEGER.set_results_name('sc_win32_status') +
@@ -185,7 +188,7 @@ class WinIISTextPlugin(interface.TextPlugin):
   _LOG_LINE_STRUCTURES['cs-username'] = _USERNAME.set_results_name(
       'cs_username')
   _LOG_LINE_STRUCTURES['c-ip'] = _IP_ADDRESS.set_results_name('source_ip')
-  _LOG_LINE_STRUCTURES['cs(User-Agent)'] = _URI.set_results_name('user_agent')
+  _LOG_LINE_STRUCTURES['cs(User-Agent)'] = _UA.set_results_name('user_agent')
   _LOG_LINE_STRUCTURES['sc-status'] = _INTEGER.set_results_name('http_status')
   _LOG_LINE_STRUCTURES['sc-substatus'] = _INTEGER.set_results_name(
       'sc_substatus')

diff --git a/test_data/iis10_edge_cases.log b/test_data/iis10_edge_cases.log
@@ -16,3 +16,4 @@
 2022-01-01 18:42:55 ::1 GET /rancertloc/logoff.aspx ActID=werwer-3e02-56456-ererere545-sdf8798798dfh 444 RaDomain\RandomMailbox3242354 ::1 Mozilla/4.0+(compatible;+MSIE+12.0;+Trident/7.0;+rv:12.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+BACKLOOK) - 302 0 0 5
 2022-01-01 00:01:24 ::1 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444  random/ranuser1 ::1 Microsoft+WinRM+Client - 200 0 0 15
 2022-01-01 00:01:24 ::1 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444  ranuser1@random ::1 Microsoft+WinRM+Client - 200 0 0 15
+2022-01-01 00:01:24 ::1 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444  random\ranuser1 ::1 Mozilla/5.0+(Linux;+Android+5.0;+SM-G900P+Build/LRX21T;+wv)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Version/4.0+Chrome/43.0.2357.121+Mobile+Safari/537.36+[FB_IAB/FB4A;FBAV/35.0.0.48.273;] - 200 0 0 15
diff --git a/tests/parsers/text_plugins/iis.py b/tests/parsers/text_plugins/iis.py
@@ -176,7 +176,7 @@ def testProcessWithIIS10Log(self):
 
     number_of_event_data = storage_writer.GetNumberOfAttributeContainers(
         'event_data')
-    self.assertEqual(number_of_event_data, 14)
+    self.assertEqual(number_of_event_data, 15)
 
     number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
         'extraction_warning')