Site Traffic Reporting

[Frankie]

I need to provide reports for number of page requests, etc made to an
internal company Web site (available only on our Intranet). I have seen
various hosting providers making available reports that summarize traffic on
a hosted Web sites (number of page requests - graphs, summary stats, etc). I
need to provide similar reports internally.

Where do I get started? I would appreciate any guidance on:
1. Are there things built into ASP.NET or IIS6 that would facilitate this
sort of reporting?

2. What are some recommended 3rd Party reporting tools made specifically for
this sort of reporting?

Thanks

 

[John Timney \(ASP.NET MVP\)]

Try this

http://awstats.sourceforge.net/

--
Regards

John Timney
ASP.NET MVP
Microsoft Regional Director

 

[Amedee Van Gasse]

John Timney (ASP.NET MVP) shared this with us in
microsoft.public.dotnet.framework.aspnet:

Try this

http://awstats.sourceforge.net/

<keanu>
Whoa!
</keanu>

Free/libre software recommended on a Microsoft newsgroup? Isn't this,
like, heresy?

Anyway, it is indeed an excellent site traffic reporting tool for both
IIS and Apache. And I'm not writing this because I contributed to that
project. ;-)

You will need to have Perl installed, but that shouldn't be too
difficult. There is a Perl distribution for Windows.

 

[Juan T. Llibre]

No heresy at all.

I wish it didn't require Perl, though.
I find using Perl to be more of a heresy... ;-)

 

[Frankie]

<< You will need to have Perl installed >>

This Perl thing: Is it safe enough to install on an otherwise clean IIS
6.0/2003 Server?

 

[Juan T. Llibre]

I am very skittish about it, since I don't have awstats installed,
but see quite a few requests for /cgi-bin/awstats.pl in my weblogs.

Perl has been demonstrated to be a security risk in many previous
versions and I don't want to be the booby who proves that the
version of Perl which awstats uses is a security risk, too.

 

[Amedee Van Gasse]

Juan T. Llibre shared this with us in
microsoft.public.dotnet.framework.aspnet:

I am very skittish about it, since I don't have awstats installed,
but see quite a few requests for /cgi-bin/awstats.pl in my weblogs.

A few months ago there was a security flaw in awstats, a buffer
overflow vulnerability if I'm correct. If there were exploits, they
were created *after* awstats was patched.
How often do you see that with IIS vulnerabilities?

Perl has been demonstrated to be a security risk in many previous
versions and I don't want to be the booby who proves that the
version of Perl which awstats uses is a security risk, too.

Replace every instance of the word Perl with IIS in that sentence, and
it remains a valid statement. Is that a reason for not using IIS? No, I
should think. For Perl you use exactly the same precautions as for any
other technology.


Anyway, see this page: http://aspn.activestate.com/ASPN/NET
Perl can be used as any other .NET language.

 

[Juan T. Llibre]

re:

A few months ago there was a security flaw in awstats

That's exactly my point.
They seem to occur more often with Perl than with other languages.

re:

How often do you see that with IIS vulnerabilities?

Do you know of an unfixed IIS vulnerability ?

re:

Replace every instance of the word Perl with IIS
in that sentence, and it remains a valid statement.

Up until IIS 6, that statement might have been valid.

IIS 6 is *the* most secure web server on the market out-of-the-box.

re:

Anyway, see this page:

I was one of the early adopters of Perl for Windows.

I dropped it because I can currently do anything I need to do in a
web application without needing to introduce an unnecessary complexity
level with Perl, which also introduces additional, unneeded, security concerns.

 

[John Timney \(ASP.NET MVP\)]

Do you know of an unfixed IIS vulnerability ?

yep ..........


awstats is a good product, its worth taking a look at - but Juan is correct
in that you need to view your security as having an additional complexity
with another product in the loop to lock down. Its all a matter of balance.

 

[Amedee Van Gasse]

Juan T. Llibre shared this with us in
microsoft.public.dotnet.framework.aspnet:

re:

That's exactly my point.
They seem to occur more often with Perl than with other languages.

I'm not a security export, so I won't argue about you on that.
You could be right or it could be your perception.

It's my own impression that most security problems are in software
written in some version of C. But then again, with C you can shoot
yourself in the foot and then no one else can figure out what you did,
and with Perl you separate the bullet from the gun with a
hyperoptimized regexp, and then you transport it to your foot using an
array of arrays of arrays. However, the program fails to run and you
can't correct it since you don't understand what the heck it is you've
written. ;-)

re:

Do you know of an unfixed IIS vulnerability ?

Currently: no. Not yet. There have been times that a vulnerability
remained infixed for weeks or months. I can look it up if you want, but
so can you. Google is your friend.

re:

Up until IIS 6, that statement might have been valid.

I totally agree with you. That is why you should read again:

<quote>
IIS has been demonstrated to be a security risk in many ***PREVIOUS***
versions and I don't want to be the booby who proves that the (current)
version of IIS (6) (...) is a security risk, too.
</quote>

Please read this:
http://www.eweek.com/article2/0,1759,1240915,00.asp
It is about IIS 5. With such a bad history, one should always be
careful.

IIS 6 is the most secure web server on the market out-of-the-box.

I totally agree with you that IIS 6 is the most secure web server of
all IIS versions. IIS 6 even has less security advisories than its
largest competitor, Apache 1.3.x.
But this tells you nothing about the severity of a problem. It could
also mean that people are actually looking at the code and finding
bugs, whereas the bugs in IIS are left to be exploited at a later date.
It is also unknown how many security bugs each IIS update fixes since
the public does not have access to the code. The number of security
updates is a double-edged sword.
Lets not forget that Apache is an open source project with many
eyeballs on the code (I'm not saying that there aren't many MS Eyeballs
on IIS's code). I would expect a large proportion of those
vulnerabilities to have been discovered by looking through the code
rather than by other nefarious means. However, for a third party to
discover a vulnerability in IIS they would have to have done it blind -
this is often orders of magnitute harder.

re:

I was one of the early adopters of Perl for Windows.

I dropped it because I can currently do anything I need to do in a
web application without needing to introduce an unnecessary complexity
level with Perl, which also introduces additional, unneeded, security
concerns.

Good for you!
You should always use the tools that best fit the purpose. If you can
do it better/faster in VB.NET or C#, please do!