dissect.target.plugins.apps.webserver.iis

Module Contents

Classes

IISLogsPlugin

IIS 7 (and above) logs plugin.

Functions

replace_dash_with_none	Replace "-" placeholder in dict values with None
normalise_field_name	Replace all character that are not allowed in the field name by flow.record

Attributes

LOG_RECORD_NAME
BASIC_RECORD_FIELDS
BasicRecordDescriptor
FIELD_NAME_INVALID_CHARS_RE

dissect.target.plugins.apps.webserver.iis.LOG_RECORD_NAME = 'filesystem/windows/iis/logs'

dissect.target.plugins.apps.webserver.iis.BASIC_RECORD_FIELDS = [('datetime', 'ts'), ('net.ipaddress', 'client_ip'), ('net.ipaddress', 'server_ip'), ('string',...

dissect.target.plugins.apps.webserver.iis.BasicRecordDescriptor

dissect.target.plugins.apps.webserver.iis.FIELD_NAME_INVALID_CHARS_RE

class dissect.target.plugins.apps.webserver.iis.IISLogsPlugin(target)

Bases: dissect.target.plugins.apps.webserver.webserver.WebserverPlugin

IIS 7 (and above) logs plugin.

References

• https://docs.microsoft.com/en-us/iis/get-started/planning-your-iis-architecture/introduction-to-applicationhostconfig

• https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807%28v=vs.90%29

APPLICATION_HOST_CONFIG = 'sysvol/windows/system32/inetsrv/config/applicationHost.config'

DEFAULT_LOG_PATHS = ['sysvol\\Windows\\System32\\LogFiles\\W3SVC*\\*.log',...

__namespace__ = 'iis'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

get_log_dirs() → list[tuple[str, pathlib.Path]]

iter_log_format_path_pairs() → list[tuple[str, str]]

parse_autodetect_format_log(path: pathlib.Path) → Iterator[BasicRecordDescriptor]

parse_iis_format_log(path: pathlib.Path) → Iterator[BasicRecordDescriptor]

Parse log file in IIS format and stream log records.

This format is not the default IIS log format.

References

• https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807%28v=vs.90%29#iis-log-file-format

• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc728311%28v=ws.10%29

• https://learn.microsoft.com/en-us/iis/configuration/system.applicationHost/sites/site/logFile

parse_w3c_format_log(path: pathlib.Path) → Iterator[dissect.target.helpers.record.TargetRecordDescriptor]

Parse log file in W3C format and stream log records.

This is the default logging format for IIS [^3].

References

• https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525807%28v=vs.90%29#w3c-extended-log-file-format

• https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc786596%28v=ws.10%29

• https://learn.microsoft.com/en-us/iis/configuration/system.applicationHost/sites/site/logFile

logs() → Iterator[dissect.target.helpers.record.TargetRecordDescriptor]

Return contents of IIS (v7 and above) log files.

Internet Information Services (IIS) for Windows Server is a manageable web server for hosting anything on the web. Logs files might, for example, contain traces that indicate that the web server has been exploited. Supported log formats: IIS, W3C.

access() → Iterator[dissect.target.plugins.apps.webserver.webserver.WebserverAccessLogRecord]

Return contents of IIS (v7 and above) log files in unified WebserverAccessLogRecord format.

See function iis.logs for more information and more verbose IIS records.

dissect.target.plugins.apps.webserver.iis.replace_dash_with_none(data: dict) → dict

Replace “-” placeholder in dict values with None

dissect.target.plugins.apps.webserver.iis.normalise_field_name(field: str) → str

Replace all character that are not allowed in the field name by flow.record with _, and strip all hanging _ from start / end of the string.