Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IIS parser: add support for IPv6 addresses with zone index #4903

Open
pyllyukko opened this issue Oct 4, 2024 · 0 comments
Open

IIS parser: add support for IPv6 addresses with zone index #4903

pyllyukko opened this issue Oct 4, 2024 · 0 comments
Labels
enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins

Comments

@pyllyukko
Copy link
Contributor

Problem

Plaso's IIS parser is unable to cope with IPv6 addresses with zone index (e.g. %3 suffix). pyparsing's common.ipv6_address doesn't seem to take this into account.

To Reproduce

  • Plaso version: 20240826 (via Docker)
  • OS: Debian 12

To reproduce you can try to parse the following log line with Plaso:

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2021-08-07 00:00:01
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2022-01-01 00:01:24 fe80::1ff:fe23:4567:890a%3 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444  random\ranuser1 ::1 Microsoft+WinRM+Client - 200 0 0 15

The method used to install Plaso: Docker

Expected behavior

Plaso should be able to parse log lines that have IPv6 addresses with zone index.

Observed behavior

Plaso produces an extraction warning with "unable to parse log line":

******************* Extraction warnings generated per parser *******************
Parser (plugin) name : Number of warnings
--------------------------------------------------------------------------------
         text/winiis : 1
--------------------------------------------------------------------------------

************** Path specifications with most extraction warnings ***************
Number of warnings : Pathspec
--------------------------------------------------------------------------------
                 1 : type: OS, location: /data/evidences/iis10_edge_cases.log
--------------------------------------------------------------------------------

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 5 "2022-01-01 00:01:24
                     fe80::1ff:fe23:4567:890a%3 POST /powershell
                     clientApplica..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/evidences/iis10_edge_cases.log
--------------------------------------------------------------------------------

Additional context

Related issue: Unable to parse MS Exchange IIS 10 log lines #4566
@joachimmetz joachimmetz changed the title IIS parser: IPv6 addresses with zone index are not parsed properly IIS parser: add support for IPv6 addresses with zone index Oct 6, 2024
@joachimmetz joachimmetz added enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins labels Oct 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New or improved functionality parsers Issues related to parsers and parser plug-ins
Projects
Format support
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pyllyukko @joachimmetz