Log Parser Plus example query

Query parameter hacking attempt - http://

Returns a listing of IP addresses that may be making a hacking attempt by passing a site address.
  • iisw3c
logparser -rtp:-1 -o:w3c "SELECT c-ip, COUNT(*) AS [Requests] INTO QueryParams-1c.log FROM ex0910*.log WHERE cs-uri-query IS NOT null and STRCNT(TO_LOWERCASE(cs-uri-query), 'http://') > 0 GROUP BY c-ip ORDER BY [Requests] DESC"
Notes: This query will only work if you are not expecting http:// to be present in a query parameter. Run another query against the logs to determine what files were requested by questionable IP addresses. Leave a comment on this query.

View more examples.

blog comments powered by Disqus