dissect.target.plugins.apps.webserver.iis#

Module Contents#

Classes#

IISLogsPlugin

IIS 7 (and above) logs plugin.

Functions#

replace_dash_with_none

Replace "-" placeholder in dict values with None

normalise_field_name

Replace all character that are not allowed in the field name by flow.record

Attributes#

dissect.target.plugins.apps.webserver.iis.LOG_RECORD_NAME = 'filesystem/windows/iis/logs'#
dissect.target.plugins.apps.webserver.iis.BASIC_RECORD_FIELDS = [('datetime', 'ts'), ('net.ipaddress', 'client_ip'), ('net.ipaddress', 'server_ip'), ('string',...#
dissect.target.plugins.apps.webserver.iis.BasicRecordDescriptor#
dissect.target.plugins.apps.webserver.iis.FIELD_NAME_INVALID_CHARS_RE#
class dissect.target.plugins.apps.webserver.iis.IISLogsPlugin(target)#

Bases: dissect.target.plugins.apps.webserver.webserver.WebserverPlugin

IIS 7 (and above) logs plugin.

References

APPLICATION_HOST_CONFIG = 'sysvol/windows/system32/inetsrv/config/applicationHost.config'#
__namespace__ = 'iis'#
check_compatible() None#

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

get_log_dirs() list[tuple[str, pathlib.Path]]#
iter_log_format_path_pairs() list[tuple[str, str]]#
parse_autodetect_format_log(path: pathlib.Path) Iterator[BasicRecordDescriptor]#
parse_iis_format_log(path: pathlib.Path) Iterator[BasicRecordDescriptor]#

Parse log file in IIS format and stream log records.

This format is not the default IIS log format.

References

parse_w3c_format_log(path: pathlib.Path) Iterator[dissect.target.helpers.record.TargetRecordDescriptor]#

Parse log file in W3C format and stream log records.

This is the default logging format for IIS [^3].

References

logs() Iterator[dissect.target.helpers.record.TargetRecordDescriptor]#

Return contents of IIS (v7 and above) log files.

Internet Information Services (IIS) for Windows Server is a manageable web server for hosting anything on the web. Logs files might, for example, contain traces that indicate that the web server has been exploited. Supported log formats: IIS, W3C.

access() Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverAccessLogRecord]#

Return contents of IIS (v7 and above) log files in unified WebserverAccessLogRecord format.

See function iis.logs for more information and more verbose IIS records.

dissect.target.plugins.apps.webserver.iis.replace_dash_with_none(data: dict) dict#

Replace “-” placeholder in dict values with None

dissect.target.plugins.apps.webserver.iis.normalise_field_name(field: str) str#

Replace all character that are not allowed in the field name by flow.record with _, and strip all hanging _ from start / end of the string.