RE: Win2k3 logging the IP address of failed FTP attempts

["Evans, Arian" <Arian.Evans () fishnetsecurity com>]

IIS logging is performed independently of the operating system.

http://www.microsoft.com/windows2000/en/server/iis/default.asp?url=/WINDOWS2000/en/server/iis/htm/core
/iiabtlg.htm

There are several tools you could use to parse the IIS logs and
dump them into event viewer entries. I once used some flakey
web agents from Pentasafe, unsure if NetIQ has maintained these.

Surely there are others, too. McAfee Entercept has an IIS agent,
and eEye still sells "SecureIIS", you might see if either
of these do this sort of thing. Or feature-request from the
vendor. You also could write a WSH script to do this and
then run it through the Windows scheduler.

I used to do something similar to recycle Citrix nFuse sessions,
and it worked fine.

Since you simply need to parse text files, I'm sure there
are a hundred ways to skin that cat.

-ae


> -----Original Message-----
> From: Ian [mailto:webappsec2 () fishnet co uk] 
> Sent: Monday, June 12, 2006 10:51 AM
> To: webappsec () securityfocus com
> Subject: OT: Win2k3 logging the IP address of failed FTP attempts
>
> Hi,
>
> Sorry for the slightly off topic question but I find myself 
> at a loss and would like to query 
> your collective intelligence.
>
> We have a win2k3 web server which hosts a few hundred 
> domains.  Recently I have 
> noticed a load of brute force attempts against the 
> administrator account coming from 
> China. Not unusual but today I noticed ;)
>
> Unfortunately the IP address is not logged to the event log 
> so I have had to use 
> TCPView from SysInternals to figure out where they are coming 
> from so I can block 
> them at the firewall. (Easier than looking through the FTP 
> logs of a hundred+ sites.)
>
> Does anyone know of a way to get the IP address into the 
> event log? I have all the 
> auditing rules switched on (ie. success,failure) but with no results.
>
> I wish to get the IP address so I could then automate the 
> blocking of IPs for a set period 
> of time.
>
> Sorry to post this here but a full work day of googling has 
> left me with nothing.
>
> Regards
>
> Ian
> -- 
>
>
> --------------------------------------------------------------
> -----------
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web 
> application 
> security testing suite, and the only solution to provide 
> comprehensive 
> remediation tasks at every level of the application. Change 
> the way you 
> think about application security testing - See for yourself. 
> Download a Free Trial of AppScan 6.0 today!
>
> https://www.watchfire.com/securearea/appscansix.aspx?id=701300
> 000007kaF
> --------------------------------------------------------------
> ------------

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. Change the way you
think about application security testing - See for yourself.
Download a Free Trial of AppScan 6.0 today!

https://www.watchfire.com/securearea/appscansix.aspx?id=701300000007kaF
--------------------------------------------------------------------------