Recently one of my clients had one of their servers attacked. The intrusion detection caught it, and I believe a lot of the malicious stuff they were trying were correctly filtered out by asp.net as dangerous requests, but in order to understand more about what was/is going on, I worked with 2 tools to help look at the situation a little deeper.
First, I wanted to look at the live requests coming to the server and see the payloads they contained. To do this, I installed WireShark on the server, and started to capture traffic.
Wireshark as 2 types of filters: capture filters and display filters. From the capture side of things, you can really cut down on the noise if you filter out the stuff you don’t care about. So I used a capture filter of tcp port 80 or tcp port 443
Image may be NSFW.
Clik here to view.
Then, while the capture is running you can type in a display filter so that you can tell if you are getting the specific type of request you are interested in during the current trace. In this case, I was only interested in http POSTs, so I could use this filter http.request.method == “POST”
Image may be NSFW.
Clik here to view.
This way you can let the trace run until you see records start to come through that match both filters.
The other thing I wanted to do was to look at log files to see how the traffic to the site changed over time. To do this I installed MS Log Parser and the Log Parser Lizard. With these two tools it allows for a nice UI and SQL queries against the data. As you can see below, the requests/attacks started at 5:52.
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
Image may be NSFW.Clik here to view.
