Log Parser Plus example query
Query parameter hacking attempt - http://
Returns a listing of IP addresses that may be making a hacking attempt by passing a site address.
Statement:Notes: This query will only work if you are not expecting http:// to be present in a query parameter. Run another query against the logs to determine what files were requested by questionable IP addresses. Leave a comment on this query.
logparser -rtp:-1 -o:w3c "SELECT c-ip, COUNT(*) AS [Requests] INTO QueryParams-1c.log FROM ex0910*.log WHERE cs-uri-query IS NOT null and STRCNT(TO_LOWERCASE(cs-uri-query), 'http://') > 0 GROUP BY c-ip ORDER BY [Requests] DESC"
blog comments powered by Disqus