From d3a3260d783868d3e8665700b16e640c4ec34601 Mon Sep 17 00:00:00 2001 From: pyllyukko Date: Thu, 10 Oct 2024 18:45:34 +0300 Subject: [PATCH 1/4] IIS parser: Added additional characters for cs(Cookie) field --- plaso/parsers/text_plugins/iis.py | 4 +++- test_data/iis10_cookies.log | 7 +++++++ tests/parsers/text_plugins/iis.py | 17 +++++++++++++++++ 3 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 test_data/iis10_cookies.log diff --git a/plaso/parsers/text_plugins/iis.py b/plaso/parsers/text_plugins/iis.py index f02539ec18..9a00e8f8a6 100644 --- a/plaso/parsers/text_plugins/iis.py +++ b/plaso/parsers/text_plugins/iis.py @@ -114,6 +114,8 @@ class WinIISTextPlugin(interface.TextPlugin): _UA = pyparsing.Word( pyparsing.alphanums + _URI_SAFE_CHARACTERS + '[]') | _BLANK + _COOKIE = pyparsing.Word(pyparsing.alphanums + _URI_SAFE_CHARACTERS + '@{}"\\') | _BLANK + # Per https://blogs.iis.net/nazim/use-of-special-characters-like-in-an-iis-url # IIS does not require that a query comply with RFC1738 restrictions on valid # URI characters @@ -204,7 +206,7 @@ class WinIISTextPlugin(interface.TextPlugin): _LOG_LINE_STRUCTURES['time-taken'] = _INTEGER.set_results_name('time_taken') _LOG_LINE_STRUCTURES['cs-version'] = _URI.set_results_name('protocol_version') _LOG_LINE_STRUCTURES['cs-host'] = _URI.set_results_name('cs_host') - _LOG_LINE_STRUCTURES['cs(Cookie)'] = _URI.set_results_name('cs_cookie') + _LOG_LINE_STRUCTURES['cs(Cookie)'] = _COOKIE.set_results_name('cs_cookie') _LOG_LINE_STRUCTURES['cs(Referrer)'] = _URI.set_results_name('cs_referrer') _LOG_LINE_STRUCTURES['cs(Referer)'] = _URI.set_results_name('cs_referrer') diff --git a/test_data/iis10_cookies.log b/test_data/iis10_cookies.log new file mode 100644 index 0000000000..bde768e3b9 --- /dev/null +++ b/test_data/iis10_cookies.log @@ -0,0 +1,7 @@ +#Date: 2021-04-01 00:00:21 +#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-status time-taken +#Software: Microsoft Internet Information Services 10.0 +#Version: 1.0 +2021-04-01 00:00:21 111.111.111.111 GET /foo/bar/baz.asp - 80 - 222.222.222.222 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/35.0.2309.372+Safari/537.36 OutlookSession="{AAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE}" http://111.111.111.111/ 200 0 0 65 +2021-04-01 00:00:21 111.111.111.111 GET /foo/bar/baz.asp - 80 - 222.222.222.222 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/35.0.2309.372+Safari/537.36 username=realm\user http://111.111.111.111/ 200 0 0 65 +2021-04-01 00:00:21 111.111.111.111 GET /foo/bar/baz.asp - 80 - 222.222.222.222 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/35.0.2309.372+Safari/537.36 username=realm@user http://111.111.111.111/ 200 0 0 65 diff --git a/tests/parsers/text_plugins/iis.py b/tests/parsers/text_plugins/iis.py index 3bca497afd..8d8a409e84 100644 --- a/tests/parsers/text_plugins/iis.py +++ b/tests/parsers/text_plugins/iis.py @@ -186,6 +186,23 @@ def testProcessWithIIS10Log(self): 'recovery_warning') self.assertEqual(number_of_warnings, 0) + """Tests the Process function with an IIS 10 log file with cs(Cookie) field.""" + plugin = iis.WinIISTextPlugin() + storage_writer = self._ParseTextFileWithPlugin( + ['iis10_cookies.log'], plugin) + + number_of_event_data = storage_writer.GetNumberOfAttributeContainers( + 'event_data') + self.assertEqual(number_of_event_data, 3) + + number_of_warnings = storage_writer.GetNumberOfAttributeContainers( + 'extraction_warning') + self.assertEqual(number_of_warnings, 0) + + number_of_warnings = storage_writer.GetNumberOfAttributeContainers( + 'recovery_warning') + self.assertEqual(number_of_warnings, 0) + if __name__ == '__main__': unittest.main() From 11b5c8268884d88a0e20462cfdf5016b63b396b1 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Sat, 12 Oct 2024 08:06:18 +0200 Subject: [PATCH 2/4] Update iis.py --- tests/parsers/text_plugins/iis.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/parsers/text_plugins/iis.py b/tests/parsers/text_plugins/iis.py index 8d8a409e84..628c85247d 100644 --- a/tests/parsers/text_plugins/iis.py +++ b/tests/parsers/text_plugins/iis.py @@ -186,6 +186,7 @@ def testProcessWithIIS10Log(self): 'recovery_warning') self.assertEqual(number_of_warnings, 0) + def testProcessWithIIS10LogAndCookieField(self): """Tests the Process function with an IIS 10 log file with cs(Cookie) field.""" plugin = iis.WinIISTextPlugin() storage_writer = self._ParseTextFileWithPlugin( From b0e2b9fcd2f2e19929dc5a740417bf0bc525f096 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Sat, 12 Oct 2024 08:43:59 +0200 Subject: [PATCH 3/4] Update iis.py --- tests/parsers/text_plugins/iis.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/parsers/text_plugins/iis.py b/tests/parsers/text_plugins/iis.py index 628c85247d..8306eb53f1 100644 --- a/tests/parsers/text_plugins/iis.py +++ b/tests/parsers/text_plugins/iis.py @@ -187,7 +187,7 @@ def testProcessWithIIS10Log(self): self.assertEqual(number_of_warnings, 0) def testProcessWithIIS10LogAndCookieField(self): - """Tests the Process function with an IIS 10 log file with cs(Cookie) field.""" + """Tests the Process function with an IIS 10 log file and cs(Cookie).""" plugin = iis.WinIISTextPlugin() storage_writer = self._ParseTextFileWithPlugin( ['iis10_cookies.log'], plugin) From f0402b2c0c4d55924290b6e8bd5bb407be4c61a9 Mon Sep 17 00:00:00 2001 From: Joachim Metz Date: Sat, 12 Oct 2024 09:11:29 +0200 Subject: [PATCH 4/4] Update iis.py --- plaso/parsers/text_plugins/iis.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/plaso/parsers/text_plugins/iis.py b/plaso/parsers/text_plugins/iis.py index 9a00e8f8a6..f235046a6f 100644 --- a/plaso/parsers/text_plugins/iis.py +++ b/plaso/parsers/text_plugins/iis.py @@ -114,7 +114,8 @@ class WinIISTextPlugin(interface.TextPlugin): _UA = pyparsing.Word( pyparsing.alphanums + _URI_SAFE_CHARACTERS + '[]') | _BLANK - _COOKIE = pyparsing.Word(pyparsing.alphanums + _URI_SAFE_CHARACTERS + '@{}"\\') | _BLANK + _COOKIE = pyparsing.Word( + pyparsing.alphanums + _URI_SAFE_CHARACTERS + '@{}"\\') | _BLANK # Per https://blogs.iis.net/nazim/use-of-special-characters-like-in-an-iis-url # IIS does not require that a query comply with RFC1738 restrictions on valid