Skip to content

IIS parser: add support for IPv6 addresses with zone index #4903

New issue
New issue
Open
Open
IIS parser: add support for IPv6 addresses with zone index#4903
Labels
enhancementNew or improved functionalityparsersIssues related to parsers and parser plug-ins
@pyllyukko

Description

@pyllyukko
pyllyukko
opened on Oct 4, 2024

Problem

Plaso's IIS parser is unable to cope with IPv6 addresses with zone index (e.g. %3 suffix). pyparsing's common.ipv6_address doesn't seem to take this into account.

To Reproduce

  • Plaso version: 20240826 (via Docker)
  • OS: Debian 12

To reproduce you can try to parse the following log line with Plaso:

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2021-08-07 00:00:01
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2022-01-01 00:01:24 fe80::1ff:fe23:4567:890a%3 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444  random\ranuser1 ::1 Microsoft+WinRM+Client - 200 0 0 15

The method used to install Plaso: Docker

Expected behavior

Plaso should be able to parse log lines that have IPv6 addresses with zone index.

Observed behavior

Plaso produces an extraction warning with "unable to parse log line":

******************* Extraction warnings generated per parser *******************
Parser (plugin) name : Number of warnings
--------------------------------------------------------------------------------
         text/winiis : 1
--------------------------------------------------------------------------------

************** Path specifications with most extraction warnings ***************
Number of warnings : Pathspec
--------------------------------------------------------------------------------
                 1 : type: OS, location: /data/evidences/iis10_edge_cases.log
--------------------------------------------------------------------------------

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 5 "2022-01-01 00:01:24
                     fe80::1ff:fe23:4567:890a%3 POST /powershell
                     clientApplica..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/evidences/iis10_edge_cases.log
--------------------------------------------------------------------------------

Additional context

Related issue: Unable to parse MS Exchange IIS 10 log lines #4566

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew or improved functionalityparsersIssues related to parsers and parser plug-ins

    Type

    No type

    Projects

    Format support

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions