2 Replies Latest reply on Nov 7, 2014 1:59 AM by horse+cart

    How to detect changed source IP for same sessionID in IIS logs?

    horse+cart

      Hello,


      We have found some strange behaviour in our Microsoft IIS web server logs where IP address for an authenticated session seems to change, but retains the session ID. A sanitised extract from the log files is shown below:


      2014-09-20 02:22:45 W3SVC1 Servername 111.111.111.111 POST /XXXXXX.Application.Server/WebService/Account/AccountService.asmx - 80 - xxx.xxx.xxx.xxx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.18 449) AuditLogging_requestId=374aa2b1-04f5-4260-8607-8b20b0edce3e;+AuditLogging_Major StepNumber=2;+AuditLogging_sessionId=ij10gqeemdp5d2rtlfdnc3f4;+ClientRemote_IP_Address=222.222.222.222 - ourapp.ourdomain 200 0 0 1621 2191 187

       

      2014-09-20 02:56:23 W3SVC1 Servername 111.111.111.111 POST /XXXXXX.Application.Server/WebService/Account/AccountService.asmx - 80 - xxx.xxx.xxx.xxx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.18 449) AuditLogging_requestId=d6a4f3ea-1908-4269-bdfc-9f492f6fbb83;+AuditLogging_Major StepNumber=3;+AuditLogging_sessionId=ij10gqeemdp5d2rtlfdnc3f4;+ClientRemote_IP_Address=333.333.333.333 - ourapp.ourdomain 200 0 0 1800 2199 187

       

      In this case we are seeing a session authenticated to a web server at 111.111.111.111 and having a session ID of ij10gqeemdp5d2rtlfdnc3f4 with a client remote IP address of 222.222.222.222. Some short time later we see the second log entry authenticated to the same server with the same session ID, but with the client remote IP address of 333.333.333.333.

       

      222.222.222.222 and 333.333.333.333 are in different countries, which is somewhat crazy.

       

      What I would like to do is set up a rule in the SIEM to alert me to this (same session ID coming from two different IP addresses). Can anyone help me with this please?

       

      Of course the bigger question is why is this happening, but for starters I'd like to be able to detect it as soon as I can rather than reading about it in the logs later.

       

      Thanks in advance,

       

      Gary.

        • 1. Re: How to detect changed source IP for same sessionID in IIS logs?
          Scott Taschler

          In your correlation rule, you would do the following:

           

          Group by: session ID

           

          In the rule body you'd have a single AND gate.  You'll set the time property here to determine the window you'll watch to look for 2 different IPs.  I'd suggest a short window as possible to be efficient with memory: perhaps 10 minutes?

           

          Inside the AND gate, you'll want a single filter block, configured to capture IIS events (use Device Type, or perhaps specific Device IDs, if you prefer).  At the bottom of the filter block, you'll configure it to look for multiple distinct source IPs, like so:


          filter.png

           

          At the end, your rule should look something like this:

           

          rule.png

           

          I haven't tested this, but it should get you pretty close.

           

          Scott

          • 2. Re: How to detect changed source IP for same sessionID in IIS logs?
            horse+cart

            Hi Scott,

             

            Thanks for your reply. I haven't had a chance to implement this yet but I hope to do so early next week. I'll get back to you after I have do so.

             

            Regards,

             

            Gary.