IIS parser: add support for IPv6 addresses with zone index

Question

IIS parser: add support for IPv6 addresses with zone index

Opened this issue 3 months ago · 0 comments

Problem

Plaso's IIS parser is unable to cope with IPv6 addresses with zone index (e.g. %3 suffix). pyparsing's common.ipv6_address doesn't seem to take this into account.

To Reproduce

Plaso version: 20240826 (via Docker)
OS: Debian 12

To reproduce you can try to parse the following log line with Plaso:

#Software: Microsoft Internet Information Services 10.0
#Version: 1.0
#Date: 2021-08-07 00:00:01
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2022-01-01 00:01:24 fe80::1ff:fe23:4567:890a%3 POST /powershell clientApplication=ActiveMonitor;PSVersion=5.1.14393.4467 444  random\ranuser1 ::1 Microsoft+WinRM+Client - 200 0 0 15

The method used to install Plaso: Docker

Expected behavior

Plaso should be able to parse log lines that have IPv6 addresses with zone index.

Observed behavior

Plaso produces an extraction warning with "unable to parse log line":

******************* Extraction warnings generated per parser *******************
Parser (plugin) name : Number of warnings
--------------------------------------------------------------------------------
         text/winiis : 1
--------------------------------------------------------------------------------

************** Path specifications with most extraction warnings ***************
Number of warnings : Pathspec
--------------------------------------------------------------------------------
                 1 : type: OS, location: /data/evidences/iis10_edge_cases.log
--------------------------------------------------------------------------------

**************************** Extraction warning: 0 *****************************
           Message : unable to parse log line: 5 "2022-01-01 00:01:24
                     fe80::1ff:fe23:4567:890a%3 POST /powershell
                     clientApplica..."
      Parser chain : text/winiis
Path specification : type: OS, location: /data/evidences/iis10_edge_cases.log
--------------------------------------------------------------------------------

Additional context

Related issue: Unable to parse MS Exchange IIS 10 log lines #4566