# LCE PRM LIBRARY # Copyright 2004-2014 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # Apache library # # DESCRIPTION: # # These signatures look for a variety of events occuring in the # accesslog, errorlog, ssl_log and ssl_error log files. They can # be used by a LCE server receiving SYLOG messages from an # apache web server, or can be used by a LCE Client operating # directly on the web logs. # # LAST UPDATE: $Date$ id=2800 name=This Apache webserver denied access. match=ent match=client match=ed match=enied match=rr match= [error] [client match=ecu match=ce match=ty match=ss match=] mod_security: Access denied with code 200. match=200 regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Access_Denied srcip:$1 proto:6 NEXT id=2801 name=This Apache webserver encountered an invalid character. match=ent match=client match=rr match= [error] [client match=ecu match=ar match=ed match=ty match=] mod_security: Invalid character detected [ match=ect regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Invalid_Characters srcip:$1 proto:6 NEXT id=2802 name=This Apache webserver has paused a script for a determinant amount of time. match=ent match=client match=rr match= [error] [client match=ecu match=ing match=ty match= mod_security: pausing [ regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Pausing_Potential_Scanner srcip:$1 proto:6 NEXT id=2803 name=This Apache webserver has refused a connection. match=ent match=client match=rr match= [error] [client match=ion match=ed match=)Connection refused: proxy connect to match=ect match=onnect match=onnection regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Refused_Proxy_Attempt srcip:$1 proto:6 NEXT id=2804 name=This Apache webserver had issued a warning based off of a known-bad-pattern match. match=ent match=client match=rr match= [error] [client match=ar match=arn match=ecu match=ing match=ty match= mod_security: Warning. Pattern match " regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Known_Web_probe srcip:$1 proto:6 NEXT id=2805 name=This Apache webserver has had an invalid method. match=ent match=client match=rr match= [error] [client match=est match=] Invalid method in request match=request regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Invalid_Method srcip:$1 proto:6 NEXT id=2806 name=This Apache webserver's SSL Engine has an RSA certificate which does not match the server name. match=ar match=arn match=warn match=] [warn] Init: ( match=ser match=) RSA server match=ate match=ce match=certificate match=CommonName (CN) ` match=mon log=type:web-error event:Apache-Bad_RSA_Certificate srcip:$1 proto:6 dstport:443 NEXT id=2807 name=This Apache webserver encountered a request to index a directory which was forbidden. match=ent match=client match=rr match= [error] [client match=ire match=Directory match=] Directory index forbidden match=de match=re match=or match=in match=ex match=to match=Dir match=ect regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Directory_Index_Forbidden srcip:$1 proto:6 NEXT id=2808 name=This Apache webserver encountered an invalid URI request. match=!ModSecurity match=ent match=client match=rr match= [error] [client match=est match=] Invalid URI in request match=request regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Invalid_URI srcip:$1 proto:6 NEXT id=2809 name=This Apache webserver encountered an invalid URI request which was to large. match=ent match=client match=rr match= [error] [client match=ail match=est match=lo match=le match=ed match=] request failed: URI too long match=request regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-URI_To_Long srcip:$1 proto:6 NEXT id=2810 name=This Apache webserver had a request for an invalid or non-existent CGI script. match=TP match=HTTP match=] "GET /cgi-bin/ match=GET match= HTTP/1. match=" 404 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9] log=type:web-error event:Apache-GET_CGI_Request_PageNotFound srcip:$1 proto:6 NEXT id=2811 name=This Apache webserver refused a proxy attempt. match=ent match=client match=rr match= [error] [client match=ail match=est match=ol match=ing match=ar match=le match=ed match=] request failed: erroneous characters after protocol string: match=request regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] request log=type:web-error event:Apache-Proxy_Request_Failed srcip:$1 proto:6 NEXT id=2813 name=This Apache webserver could not find a request script. This may indicate a web probe. match=ent match=rr match= [error] [client match=client match=sta match=le match=pt match=] script not found or unable to stat: / regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Script_Not_Found srcip:$1 proto:6 NEXT id=2814 name=This Apache webserver encountered an undefined variable in a PHP script. match=ent match=[client match=client match=PHP match=ar match=ce match=le match=ed match=] PHP Notice: Undefined variable: regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-PHP_Undefined_Var srcip:$1 proto:6 type:web-error NEXT id=2817 name=This Apache webserver encountered an undefined PHP constant. match=ent match=client match=PHP match=[client match=sta match=ce match=ed match=] PHP Notice: Use of undefined constant match=an regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-PHP_Undefined_Constant srcip:$1 proto:6 type:web-error NEXT id=2818 name=This Apache webserver encountered an undefined PHP programming offset. match=ent match=client match=PHP match=[client match=ce match=ed match=] PHP Notice: Undefined offset regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-PHP_Undefined_Offset srcip:$1 proto:6 type:web-error NEXT id=2819 name=This Apache webserver encountered an attempt to upload a file larger than what was allowed by policy. match=ent match=client match=PHP match=ize match=[client match=ar match=arn match=lo match=ing match=le match=] PHP Warning: upload_max_filesize of match=ce match=ed match=bytes exceeded - file [ regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-PHP_Upload_Max_Filesize_Exceeded srcip:$1 proto:6 type:web-error ### # NOTE: - ID 2820 is the start of the sql_postgres.prm ID numbering ### NEXT id=12820 name=This Apache webserver had a PHP fread() warning. This can indicate a programming error, but can also indicate that web application probes are occurring on your server. match=ent match=client match=PHP match=[client match=ar match=arn match=ing match=] PHP Warning: fread(): regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-PHP_fread_Warning srcip:$1 proto:6 type:web-error NEXT id=12821 name=This Apache webserver has had an issue with its Server Side Include configuration. match=ent match=client match=rem match=ar match=arn match= [warn] [client match=CL match=ion match=ed match=pt match=mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed match=IN regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-SSI_Config_Warning srcip:$1 proto:6 type:web-error NEXT id=12822 name=This Apache webserver was not able to find an requested PHP script. This may indicate one or more web probes. match=ent match=client match=le match=nable match=[client match=pt match=] script ' match=sta match=' not found or unable to stat regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-Script_Not_Found srcip:$1 proto:6 type:web-error NEXT id=12823 name=This Apache webserver was not able to fulfill an index request. match=ent match=client match=PHP match=[client match=ce match=ed match=] PHP Notice: Undefined index: regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-PHP_Undefined_Index srcip:$1 proto:6 type:web-error NEXT id=12824 name=This Apache webserver was not able to invoke a directory as a script. match=ent match=rr match= [error] [client match=error match=client match=tem match=ire match=pt match=] attempt to invoke directory as script: match=ect regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-Attempt_To_Invoke_Directory_As_Script srcip:$1 proto:6 type:web-error NEXT id=12825 name=This Apache webserver denied access based on configured parameters. match=ent match=rr match= [error] [client match=error match=client match=ser match=ion match=ed match=] client denied by server configuration: / match=onfiguration regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-Client_Denied_By_Server srcip:$1 proto:6 type:web-error NEXT id=12827 name=This Apache webserver denied access based on configured parameters. match=ent match=rr match= [error] [client match=error match=client match=ion match=ce match=ed match=ss match=)Permission denied: access to / match=acc regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-Permission_Denied srcip:$1 proto:6 type:web-error NEXT id=12828 name=This Apache webserver encountered a premature end to a script. This can indicate a programming error. match=ent match=rr match= [error] [client match=client match=error match=rem match=pt match=] Premature end of script headers: regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-Premature_End_Of_Script srcip:$1 proto:6 type:web-error NEXT id=12829 name=This Apache webserver encountered a request for a file it does not have access to. This may be a configuration issue, or a web probe which has been denied. match=ent match=rr match= [error] [client match=error match=client match=ire match=ce match=le match=ty match=ss match=)No such file or directory: cannot access type map file: match=ect match=acc match=an regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-No_Such_File_Or_Directory srcip:$1 proto:6 type:web-error NEXT id=12830 name=This Apache webserver encountered a malformed host header. match=ent match=client match=rr match=error match= [error] [client match=ed match=] Client sent malformed Host header regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-Malformed_Host_Header srcip:$1 proto:6 type:web-error NEXT id=12831 name=This Apache webserver has a misconfiguration. match=ent match=rr match= [error] [client match=client match=error match=ing match=ed match=] Unquoted string " match=ser match=" may clash with future reserved word regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-Script_With_Unquoted_String srcip:$1 proto:6 type:web-error NEXT id=12832 name=This Apache webserver has a misconfiguration. match=le match=ss match=ossible match=ent match=rr match= [error] [client match=client match=error match=ce match=ed match=ty match=" used only once: possible typo at / match=] Name " regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-Possible_Script_Typo srcip:$1 proto:6 type:web-error NEXT id=12833 name=This Apache webserver encountered a programming error. match=ent match=rr match= [error] [client match=[client match=client match=error match=lo match=le match=ed match=] print() on closed filehandle WH at / match=an regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-Closed_Script_Filehandle srcip:$1 proto:6 type:web-error NEXT id=12834 name=This Apache webserver has received an SSLv2 request. match=TP match=HTTP match= HTTP/1 match= SSLv2 DES-CBC3-MD5 " regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-DES_MD5_Connection srcip:$1 type:web-access NEXT id=12835 name=This Apache webserver has received an TLSv1 or SSLv3 request. match=TP match=HTTP match=HTTP/1 match= DHE-RSA- match=256 match=-SHA regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-DHE_RSA_Connection srcip:$1 type:web-access NEXT id=12836 name=This Apache webserver has received an RC4-MD5 request. match=TP match=HTTP match= HTTP/1 match= RC4-MD5 " regex=([0-9]+(\.[0-9]+){3}) .* RC4-MD5 log=event:Apache-MD5_Connection srcip:$1 type:web-access NEXT id=12837 name=This Apache webserver has received an TLSv1 request. match=TP match=HTTP match= HTTP/1 match= TLSv1 AES128-SHA " regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-AES_SHA_Connection srcip:$1 type:web-access NEXT id=12839 name=This Apache webserver has received erroneous characters after the protocol string. match=TP match=HTTP match= HTTP/1. match= GET / match=GET match=rr match=[error] match=error match=ail match=le match=ed match=ailed match=est match=ol match=ing match=ar match= request failed: erroneous characters after protocol string: match=request regex=.*\[client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] .*\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:web-error event:Apache-Erroneous_Characters_After_Protocol srcip:$1 dstip:$2 dstport:$3 NEXT id=12841 name=This Apache webserver encountered an undefined index in a PHP script. match=PHP match=tp match=httpd match=ce match=ed match=httpd: PHP Notice: Undefined index log=event:Apache-PHP_Undefined_Index proto:6 type:web-error NEXT id=12842 name=This Apache webserver encountered an illegal offset type. match=PHP match=tp match=httpd match=ar match=arn match=ing match=le match=ty match=httpd: PHP Warning: Illegal offset type in log=event:Apache-PHP_Illegal_Offset proto:6 type:web-error NEXT id=12843 name=This Apache webserver denied access to a remote user who attempted to execute a command. match=ent match=client match=rr match=error match= [error] [client match=ion match=ed match=ss match=Permission denied: regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Permission_Denied srcip:$1 proto:6 NEXT id=12844 name=The Apache webserver has dropped a variable due to null characters not allowed withing request. match=tp match=httpd[ match=rr match=[error] match=httpd match=error match=est match=lo match=ar match=le match=ed match=ALERT - ASCII-NUL chars not allowed within request variables match=RT match=ER match=AL match=request match=dropped variable match=pp regex=([a-zA-Z0-9&_\.-]+) httpd\[.*\]: \[error\] ALERT - ASCII-NUL .*\(attacker .([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Apache-Alert_ASCII_NUL sensor:$1 srcip:$2 type:web-error NEXT id=12845 name=The Apache webserver has issued an alert for the registration of a forbidden variable. match=tp match=httpd[ match=rr match=[error] match=httpd match=error match=ar match=le match=ed match=ALERT - tried to register forbidden variable match=RT match=ER match=AL match=through COOKIE variables match=CO regex=([a-zA-Z0-9&_\.-]+) httpd\[.*\]: \[error\] ALERT - tried to register forbidden variable .*\(attacker .([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=event:Apache-Alert_Forbidden_Variable sensor:$1 srcip:$2 type:web-error NEXT id=12846 name=The Apache has a file not found error. match=tp match=httpd[ match=rr match=[error] match=httpd match=error match=le match=File does not exist: regex=([a-zA-Z0-9&_\.-]+) httpd\[.*\]: \[error\] \[client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=event:Apache-Error_File_Not_Found sensor:$1 srcip:$2 type:web-error NEXT id=12847 name=The Apache web server encountered a valid web query which returned a valid code in the 200 range. match=TP match=HTTP match= - [ match=] "GET match=GET match= HTTP/1. match=" 2 match=!.asp match=!.avi match=!.bmp match=!.cgi match=!.doc match=!.gif match=!.exe match=!.flv match=!gz match=!.htm match=!.java match=!.jpeg match=!.jpg match=!.js match=!.mpg match=!.mpeg match=!.mpa match=!.m4a match=!.mp3 match=!.mp4 match=!.mov match=!.pdf match=!.php match=!.pkg match=!.png match=!.pps match=!.ppt match=!.ra match=!.ram match=!.rar match=!.rpm match=!.rtf match=!.rm match=!.rss match=!.swf match=!.tar match=!.txt match=!.wav match=!.wma match=!.wmv match=!.xls match=!.xml match=!.zip regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 2[0-9][0-9] log=event:Apache-Valid_Web_GET_Request srcip:$1 type:web-access NEXT id=12848 name=The Apache web server encountered a valid web post which returned a valid code in the 200 range. match=TP match=HTTP match= - [ match=] "POST match=ST match=POST match= HTTP/1. match=" 2 match=!.asp match=!.avi match=!.bmp match=!.cgi match=!.css match=!.doc match=!.gif match=!.exe match=!.flv match=!gz match=!.htm match=!.java match=!.jpeg match=!.jpg match=!.js match=!.mpg match=!.mpeg match=!.mpa match=!.m4a match=!.mp3 match=!.mp4 match=!.mov match=!.pdf match=!.php match=!.pkg match=!.png match=!.pps match=!.ppt match=!.ra match=!.ram match=!.rar match=!.rpm match=!.rtf match=!.rm match=!.rss match=!.swf match=!.tar match=!.txt match=!.wav match=!.wma match=!.wmv match=!.xls match=!.xml match=!.zip regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 2[0-9][0-9] log=event:Apache-Valid_Web_POST_Request srcip:$1 type:web-access NEXT id=12849 name=The Apache web server encountered a valid web query which returned a valid code in the 300 range which resulted in a client redirection. match=TP match=HTTP match= - [ match=] "GET match=GET match= HTTP/1. match=" 3 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 3[0-9][0-9] log=type:web-access event:Apache-GET_Redirect srcip:$1 proto:6 NEXT id=12850 name=The Apache web server encountered a valid web post which returned a valid code in the 300 range which resulted in a client redirection. match=TP match=HTTP match= - [ match=] "POST match=POST match=ST match= HTTP/1. match=" 3 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 3[0-9][0-9] log=type:web-access event:Apache-POST_Redirect srcip:$1 proto:6 NEXT id=12851 name=The Apache web server encountered an invalid web request which returned an Apache error code in the 400 range. match=TP match=HTTP match= - [ match=] "GET match=GET match= HTTP/1. match=" 4 match=!cgi-bin regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 4[0-9][0-9] log=type:web-error event:Apache-GET_Client_Request_Error srcip:$1 proto:6 NEXT id=12852 name=The Apache web server encountered an invalid web post which returned an Apache error code in the 400 range. match=TP match=HTTP match= - [ match=] "POST match=POST match=ST match= HTTP/1. match=" 4 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 4[0-9][0-9] log=type:web-error event:Apache-POST_Client_Request_Error srcip:$1 proto:6 NEXT id=12853 name=The Apache web server encountered an invalid web request which returned an Apache error code in the 500 range. match=TP match=HTTP match= - [ match=] "GET match=GET match= HTTP/1. match=" 5 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 5[0-9][0-9] log=type:web-error event:Apache-GET_Server_Error srcip:$1 proto:6 NEXT id=12854 name=The Apache web server encountered an invalid web post which returned an Apache error code in the 500 range. match=TP match=HTTP match= - [ match=] "POST match=POST match=ST match= HTTP/1. match=" 5 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 5[0-9][0-9] log=type:web-error event:Apache-POST_Server_Error srcip:$1 proto:6 NEXT id=12855 name=The Apache web server encountered a file name which was too long. match=rr match=[error] match=ent match=[client match=error match=client match=lo match=le match=File name too long: regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) log=type:web-error event:Apache-File_Name_Too_Long srcip:$1 proto:6 NEXT id=12856 name=The Apache web server encountered a valid web query which returned a valid code in the 200 range. match=! - - [ match=] "GET match=GET match=TP match=HTTP match= HTTP/1. match=" 2 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 2[0-9][0-9] log=event:Apache-Valid_Web_GET_Request srcip:$1 type:web-access user:$2 NEXT id=12857 name=The Apache web server encountered a valid web post which returned a valid code in the 200 range. match=! - - [ match=] "POST match=POST match=ST match=TP match= HTTP/1. match=HTTP match=" 2 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,32}) .* \[[0-9].* 2[0-9][0-9] log=event:Apache-Valid_Web_POST_Request srcip:$1 type:web-access user:$2 NEXT id=12858 name=The Apache web server encountered a valid web query which returned a valid code in the 300 range which resulted in a client redirection. match=! - - [ match=] "GET match=GET match=TP match= HTTP/1. match=HTTP match=" 3 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 3[0-9][0-9] log=type:web-access event:Apache-GET_Redirect srcip:$1 proto:6 user:$2 NEXT id=12859 name=The Apache web server encountered a valid web post which returned a valid code in the 300 range which resulted in a client redirection. match=! - - [ match=] "POST match=POST match=ST match=TP match= HTTP/1. match=HTTP match=" 3 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 3[0-9][0-9] log=type:web-access event:Apache-POST_Redirect srcip:$1 proto:6 user:$2 NEXT id=12860 name=The Apache web server encountered an invalid web request which returned an Apache error code in the 400 range. match=! - - [ match=] "GET match=GET match=TP match= HTTP/1. match=HTTP match=" 4 match=!cgi-bin regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 4[0-9][0-9] log=type:web-error event:Apache-GET_Client_Request_Error srcip:$1 proto:6 user:$2 NEXT id=12861 name=The Apache web server encountered an invalid web post which returned an Apache error code in the 400 range. match=! - - [ match=] "POST match=POST match=ST match=TP match= HTTP/1. match=HTTP match=" 4 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 4[0-9][0-9] log=type:web-error event:Apache-POST_Client_Request_Error srcip:$1 proto:6 user:$2 NEXT id=12862 name=The Apache web server encountered an invalid web request which returned an Apache error code in the 500 range. match=! - - [ match=] "GET match=GET match=TP match= HTTP/1. match=HTTP match=" 5 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 5[0-9][0-9] log=type:web-error event:Apache-GET_Server_Error srcip:$1 proto:6 user:$2 NEXT id=12863 name=The Apache web server encountered an invalid web post which returned an Apache error code in the 500 range. match=! - - [ match=] "POST match=POST match=ST match=TP match= HTTP/1. match=HTTP match=" 5 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 5[0-9][0-9] log=type:web-error event:Apache-POST_Server_Error srcip:$1 proto:6 user:$2 NEXT id=12864 name=The Apache web server has resumed normal operations. match=ch match=ic match=ce match=ti match=ur match=ma match=er match=gu match=ac match=ion match=rm match=not match=op match=config match=Apache match=configured -- resuming normal operations log=type:application event:Apache-Web_Server_Resuming NEXT id=12865 name=This Apache webserver has received an TLS or SSL Diffie-Hellman Export cipher request. match=TP match=HTTP match=HTTP/1 match= EXP- regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) [TSL]{3}v[.0-9]+ EXP-(?:DHE?|[AE]DH)- log=event:Apache-DH_Export_Connection srcip:$1 type:web-access NEXT id=12866 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a web page rendered by a Microsoft Active Server Pages application. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.asp regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Content_ASP_Request srcip:$1 NEXT id=12867 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an AVI video file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.avi regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Video_AVI_Request srcip:$1 NEXT id=12868 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an BMP image file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.bmp regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Image_BMP_Request srcip:$1 NEXT id=12869 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a web site rendered by a CGI form. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.cgi regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Content_CGI_Request srcip:$1 NEXT id=12870 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a web site's cascading style sheet file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=ss match=.css regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Content_CSS_Request srcip:$1 # id=12871 available NEXT id=12872 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Microsoft Word .doc or .docx file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.doc regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Office_DOC_DOCX_Request srcip:$1 # id=12873 available available NEXT id=12874 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a GIF image. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.gif regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Image_GIF_Request srcip:$1 NEXT id=12875 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Windows executable file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.exe regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Executable_EXE_Request srcip:$1 NEXT id=12876 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a flash video file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.flv regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Video_FLV_Request srcip:$1 NEXT id=12877 name=This Apache web server has detected a system browsing the network via HTTP with a web request for file compressed by the Gnu Zip program. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.gz regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-File_GZ_Request srcip:$1 NEXT id=12878 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an HTML file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.htm regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Content_HTM_HTML_Request srcip:$1 NEXT id=12880 name=This Apache web server has detected a system browsing the network via HTTP with a web request for Java source code. This code may have been executed by the browser. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.java regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Executable_JAVA_Request srcip:$1 NEXT id=12881 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a .jpeg image file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.jpeg regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Image_JPEG_Request srcip:$1 NEXT id=12882 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a .jpg image file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.jpg regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Image_JPG_Request srcip:$1 NEXT id=12883 name=This Apache web server has detected a system browsing the network via HTTP with a web request for javascript code. This code was likely executed on the downloading web browser. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.js regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Executable_JS_Request srcip:$1 NEXT id=12884 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpg extension. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.mpg regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Video_MPG_Request srcip:$1 NEXT id=12885 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpeg extension. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.mpeg regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Video_MPEG_Request srcip:$1 NEXT id=12886 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG-2 audio file with a .mpa extension. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.mpa regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Audio_MPA_Request srcip:$1 NEXT id=12887 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG-4 audio file with a .m4a extension. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.m4a regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Audio_M4A_Request srcip:$1 NEXT id=12888 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG-3 audio file with a .mp3 extension. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.mp3 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Audio_MP3_Request srcip:$1 NEXT id=12889 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG-4 media file with a .mp4 extension. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.mp4 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Media_MP4_Request srcip:$1 NEXT id=12890 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an Apple Quicktime video file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.mov regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Video_MOV_Request srcip:$1 NEXT id=12892 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an Adobe PDF or compatible file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.pdf regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Office_PDF_Request srcip:$1 NEXT id=12893 name=This Apache web server has detected a system browsing the network via HTTP with a web request for dynamic content generates by a PHP program. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.php regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Content_PHP_Request srcip:$1 NEXT id=12894 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Unix software package file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.pkg regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Executable_PKG_Request srcip:$1 NEXT id=12895 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a PNG image file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.png regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Image_PNG_Request srcip:$1 NEXT id=12896 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Microsoft .pps PowerPoint presentation file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.pps match=pp regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Office_PPS_Request srcip:$1 NEXT id=12897 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Microsoft .ppt PowerPoint presentation file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=pt match=.ppt match=pp regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache_Office_PPT_PPTX_Request srcip:$1 NEXT id=12898 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Real Audio .ra sound file. match=!.ram match=!.rar match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.ra regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Audio_RA_Request srcip:$1 NEXT id=12899 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Real Audio .ra sound file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.ram regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Audio_RAM_Request srcip:$1 NEXT id=12900 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Roshat Archive .rar file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=ar match=.rar regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-File_RAR_Request srcip:$1 NEXT id=12901 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Redhat Package Manager.rpm file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.rpm regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Executable_RPM_Request srcip:$1 NEXT id=12902 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Real Media audio or video file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.rm regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Media_RM_Request srcip:$1 NEXT id=12903 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Rich Site Summary .rss file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=ss match=.rss regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Content_RSS_Request srcip:$1 NEXT id=12904 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a FLASH video file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.swf regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Media_SWF_Request srcip:$1 NEXT id=12905 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Unix tape archive file with a .tar extension. match=!tar.gz match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=ar match=.tar regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-File_TAR_Request srcip:$1 NEXT id=12907 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a gnuziped compressed Unix tar archive. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.tgz regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-File_TGZ_Request srcip:$1 NEXT id=12908 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a gnuziped compressed Unix tar archive. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=ar match=.tar.gz regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-File_TAR_GZ_Request srcip:$1 NEXT id=12910 name=This Apache web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wav audio file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.wav regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Audio_WAV_Request srcip:$1 NEXT id=12911 name=This Apache web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wma audio file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.wma regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Audio_WMA_Request srcip:$1 NEXT id=12912 name=This Apache web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wmv video file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.wmv regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Video_WMV_Request srcip:$1 NEXT id=12914 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an ASCII text file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.txt regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Office_TXT_Request srcip:$1 #id=12915 NEXT id=12916 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Rich Text Format .rtf file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.rtf regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Office_RTF_Request srcip:$1 NEXT id=12917 name=This Apache web server has detected a system browsing the network via HTTP with a web request for an XML file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.xml regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-File_XML_Request srcip:$1 # id=12940 available NEXT id=12942 name=This Apache web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls or .xslx spreadsheet file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.xls regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-Office_XLS_XLSX_Request srcip:$1 NEXT id=12944 name=This Apache web server has detected a system browsing the network via HTTP with a web request for a ZIP compressed file. match= - [ match=TP match= HTTP/1. match=HTTP match=" 2 match=.zip regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9] log=type:web-access event:Apache-File_ZIP_Request srcip:$1 NEXT id=12945 name=This Apache webserver processed a request with an invalid content length. match=ent match=client match=rr match=error match= [error] [client match=ont match=] Invalid Content-Length regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Invalid_Content_Length srcip:$1 proto:6 NEXT id=12946 name=This Apache webserver rejected a request to serve a directory. match=ent match=client match=rr match=error match= [error] [client match=tem match=ire match=ser match=pt match=] Attempt to serve directory: match=ect regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Attempt_To_Serve_Directory srcip:$1 proto:6 NEXT id=12947 name=This Apache webserver encountered a request for a CGI resource, but the ExecCGI setting was disabled. This may indicate a probe or misconfiguration. match=io match=th match=off match=cli match=on match=ent match=tion match=ff match=direct match=client match=ien match=re match=nt match=en match=or match=in match=pt match=ect match=ion match=client match=] Options ExecCGI is off in this directory regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Invalid_ExecCGI_Request srcip:$1 proto:6 NEXT id=12948 name=This Apache web server logged a valid HEAD event. match="HEAD / match=HEAD match=AD match=TP match= HTTP/1. match=HTTP match=" 302 - log=type:web-access event:Apache-302_Head proto:6 NEXT id=12949 name=This Apache webserver has received an TLSv1 or SSLv3 non RSA request. match=!RSA match=TP match=HTTP match= HTTP/1 match=AES256-SHA " regex=([0-9]+(\.[0-9]+){3}) log=event:Apache-AES256_Connection srcip:$1 type:web-access NEXT id=12950 name=This Apache web server logged a valid CONNECT event. match=!POST match=!GET match=!HEAD match="CONNECT match=CO match=TP match= HTTP/1. match=HTTP match=" 302 - log=type:web-access event:Apache-302_Connect proto:6 NEXT id=12951 name=This Apache webserver has received an RC4-SHA request. match=TP match=HTTP match= HTTP/1 match= RC4-SHA " regex=([0-9]+(\.[0-9]+){3}) .* RC4-SHA log=event:Apache-SHA_Connection srcip:$1 type:web-access NEXT id=12952 name=This Apache webserver has received an DES-CBC3-SHA request. match=TP match=HTTP match= HTTP/1 match=DES-CBC3-SHA " regex=([0-9]+(\.[0-9]+){3}) .*DES-CBC3-SHA log=event:Apache-SHA_Connection srcip:$1 type:web-access NEXT id=12953 name=This Apache web server logged a 200 HEAD event. match="HEAD / match=HEAD match=AD match=TP match= HTTP/1. match=HTTP match=" 200 - regex=.*=([0-9]+(\.[0-9]+){3}).*=([0-9]+(\.[0-9]+){3}) log=type:web-access event:Apache-200_Head srcip:$1 dstip:$3 proto:6 NEXT id=12954 name=This Apache webserver encountered an error reading the headers. match=ent match=client match=rr match= [error] [client match=ail match=est match=ed match=] request failed: error reading the headers match=request regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] log=type:web-error event:Apache-Error_Reading_Headers srcip:$1 proto:6 NEXT id=12955 name=This Apache webserver OPTIONS. match= - [ match=] "OPTIONS match=HTTP/ match=200 match=OP match=TI match=NS match=ON regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([A-Za-z0-9._-]+)\:([0-9]+) - \[ log=type:web-access event:Apache-Options proto:6 srcip:$1 dstip:$2 dstport:$3 NEXT id=12956 name=This Apache webserver PROPFIND. match= - [ match=] "PROPFIND / match=HTTP/ match=200 match=PR match=OP match=FI match=ND regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([A-Za-z0-9._-]+)\:([0-9]+) - \[ log=type:web-access event:Apache-Propfind proto:6 srcip:$1 dstip:$2 dstport:$3 NEXT id=12957 name=This Apache webserver SEARCH. match= - [ match=] "SEARCH / match=HTTP/ match=200 match=SE match=AR match=CH match=EA regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([A-Za-z0-9._-]+)\:([0-9]+) - \[ log=type:web-access event:Apache-Valid_Web_Search proto:6 srcip:$1 dstip:$2 dstport:$3 NEXT id=12958 name=The Apache web server encountered a valid web query which returned a valid code in the 200 range. match=! - [ match=] "GET match=GET match=TP match=HTTP match= HTTP/1. match=" 2 regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) ([^ ]{1,12}) \[.* (2[0-9][0-9]) log=event:Apache-Valid_Web_GET_Request srcip:$1 dstip:$2 dstport:$3 type:web-access user:$4 NEXT id=12959 name=The Apache web server encountered an invalid web request which returned an Apache error code in the 400 range. match=! - [ match=] "GET match=GET match=TP match= HTTP/1. match=HTTP match=" 4 match=!cgi-bin regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) ([^ ]{1,12}) \[.* (4[0-9][0-9]) log=type:web-error event:Apache-GET_Client_Request_Error proto:6 srcip:$1 dstip:$2 dstport:$3 type:web-access user:$4 ~