Changed IIS parser to support cs(Cookie) field (#4911)

log2timeline · Oct 12, 2024 · 868aa0f · 868aa0f
1 parent 8b43a72
commit 868aa0f
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 1 deletion.
diff --git a/plaso/parsers/text_plugins/iis.py b/plaso/parsers/text_plugins/iis.py
@@ -114,6 +114,9 @@ class WinIISTextPlugin(interface.TextPlugin):
   _UA = pyparsing.Word(
       pyparsing.alphanums + _URI_SAFE_CHARACTERS + '[]') | _BLANK
 
+  _COOKIE = pyparsing.Word(
+      pyparsing.alphanums + _URI_SAFE_CHARACTERS + '@{}"\\') | _BLANK
+
   # Per https://blogs.iis.net/nazim/use-of-special-characters-like-in-an-iis-url
   # IIS does not require that a query comply with RFC1738 restrictions on valid
   # URI characters
@@ -204,7 +207,7 @@ class WinIISTextPlugin(interface.TextPlugin):
   _LOG_LINE_STRUCTURES['time-taken'] = _INTEGER.set_results_name('time_taken')
   _LOG_LINE_STRUCTURES['cs-version'] = _URI.set_results_name('protocol_version')
   _LOG_LINE_STRUCTURES['cs-host'] = _URI.set_results_name('cs_host')
-  _LOG_LINE_STRUCTURES['cs(Cookie)'] = _URI.set_results_name('cs_cookie')
+  _LOG_LINE_STRUCTURES['cs(Cookie)'] = _COOKIE.set_results_name('cs_cookie')
   _LOG_LINE_STRUCTURES['cs(Referrer)'] = _URI.set_results_name('cs_referrer')
   _LOG_LINE_STRUCTURES['cs(Referer)'] = _URI.set_results_name('cs_referrer')
 

diff --git a/test_data/iis10_cookies.log b/test_data/iis10_cookies.log
@@ -0,0 +1,7 @@
+#Date: 2021-04-01 00:00:21
+#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Cookie) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
+#Software: Microsoft Internet Information Services 10.0
+#Version: 1.0
+2021-04-01 00:00:21 111.111.111.111 GET /foo/bar/baz.asp - 80 - 222.222.222.222 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/35.0.2309.372+Safari/537.36 OutlookSession="{AAAAAAA-BBBB-CCCC-DDDD-EEEEEEEEEEEE}" http://111.111.111.111/ 200 0 0 65
+2021-04-01 00:00:21 111.111.111.111 GET /foo/bar/baz.asp - 80 - 222.222.222.222 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/35.0.2309.372+Safari/537.36 username=realm\user http://111.111.111.111/ 200 0 0 65
+2021-04-01 00:00:21 111.111.111.111 GET /foo/bar/baz.asp - 80 - 222.222.222.222 Mozilla/5.0+(Windows+NT+5.1)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/35.0.2309.372+Safari/537.36 username=realm@user http://111.111.111.111/ 200 0 0 65
diff --git a/tests/parsers/text_plugins/iis.py b/tests/parsers/text_plugins/iis.py
@@ -186,6 +186,24 @@ def testProcessWithIIS10Log(self):
         'recovery_warning')
     self.assertEqual(number_of_warnings, 0)
 
+  def testProcessWithIIS10LogAndCookieField(self):
+    """Tests the Process function with an IIS 10 log file and cs(Cookie)."""
+    plugin = iis.WinIISTextPlugin()
+    storage_writer = self._ParseTextFileWithPlugin(
+        ['iis10_cookies.log'], plugin)
+
+    number_of_event_data = storage_writer.GetNumberOfAttributeContainers(
+        'event_data')
+    self.assertEqual(number_of_event_data, 3)
+
+    number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'extraction_warning')
+    self.assertEqual(number_of_warnings, 0)
+
+    number_of_warnings = storage_writer.GetNumberOfAttributeContainers(
+        'recovery_warning')
+    self.assertEqual(number_of_warnings, 0)
+
 
 if __name__ == '__main__':
   unittest.main()