# LCE PRM LIBRARY
# Copyright 2004-2014 Tenable Network Security
# This library may only be used with the LCE server and may not
# be used with other products or open source projects
#
# NAME:
# Apache library
#
# DESCRIPTION:
#
# These signatures look for a variety of events occuring in the
# accesslog, errorlog, ssl_log and ssl_error log files. They can
# be used by a LCE server receiving SYLOG messages from an
# apache web server, or can be used by a LCE Client operating
# directly on the web logs.
#
# LAST UPDATE: $Date$
id=2800
name=This Apache webserver denied access.
match=ent
match=client
match=ed
match=enied
match=rr
match= [error] [client
match=ecu
match=ce
match=ty
match=ss
match=] mod_security: Access denied with code 200.
match=200
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Access_Denied srcip:$1 proto:6
NEXT
id=2801
name=This Apache webserver encountered an invalid character.
match=ent
match=client
match=rr
match= [error] [client
match=ecu
match=ar
match=ed
match=ty
match=] mod_security: Invalid character detected [
match=ect
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Invalid_Characters srcip:$1 proto:6
NEXT
id=2802
name=This Apache webserver has paused a script for a determinant amount of time.
match=ent
match=client
match=rr
match= [error] [client
match=ecu
match=ing
match=ty
match= mod_security: pausing [
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Pausing_Potential_Scanner srcip:$1 proto:6
NEXT
id=2803
name=This Apache webserver has refused a connection.
match=ent
match=client
match=rr
match= [error] [client
match=ion
match=ed
match=)Connection refused: proxy connect to
match=ect
match=onnect
match=onnection
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Refused_Proxy_Attempt srcip:$1 proto:6
NEXT
id=2804
name=This Apache webserver had issued a warning based off of a known-bad-pattern match.
match=ent
match=client
match=rr
match= [error] [client
match=ar
match=arn
match=ecu
match=ing
match=ty
match= mod_security: Warning. Pattern match "
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Known_Web_probe srcip:$1 proto:6
NEXT
id=2805
name=This Apache webserver has had an invalid method.
match=ent
match=client
match=rr
match= [error] [client
match=est
match=] Invalid method in request
match=request
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Invalid_Method srcip:$1 proto:6
NEXT
id=2806
name=This Apache webserver's SSL Engine has an RSA certificate which does not match the server name.
match=ar
match=arn
match=warn
match=] [warn] Init: (
match=ser
match=) RSA server
match=ate
match=ce
match=certificate
match=CommonName (CN) `
match=mon
log=type:web-error event:Apache-Bad_RSA_Certificate srcip:$1 proto:6 dstport:443
NEXT
id=2807
name=This Apache webserver encountered a request to index a directory which was forbidden.
match=ent
match=client
match=rr
match= [error] [client
match=ire
match=Directory
match=] Directory index forbidden
match=de
match=re
match=or
match=in
match=ex
match=to
match=Dir
match=ect
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Directory_Index_Forbidden srcip:$1 proto:6
NEXT
id=2808
name=This Apache webserver encountered an invalid URI request.
match=!ModSecurity
match=ent
match=client
match=rr
match= [error] [client
match=est
match=] Invalid URI in request
match=request
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Invalid_URI srcip:$1 proto:6
NEXT
id=2809
name=This Apache webserver encountered an invalid URI request which was to large.
match=ent
match=client
match=rr
match= [error] [client
match=ail
match=est
match=lo
match=le
match=ed
match=] request failed: URI too long
match=request
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-URI_To_Long srcip:$1 proto:6
NEXT
id=2810
name=This Apache webserver had a request for an invalid or non-existent CGI script.
match=TP
match=HTTP
match=] "GET /cgi-bin/
match=GET
match= HTTP/1.
match=" 404
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9]
log=type:web-error event:Apache-GET_CGI_Request_PageNotFound srcip:$1 proto:6
NEXT
id=2811
name=This Apache webserver refused a proxy attempt.
match=ent
match=client
match=rr
match= [error] [client
match=ail
match=est
match=ol
match=ing
match=ar
match=le
match=ed
match=] request failed: erroneous characters after protocol string:
match=request
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] request
log=type:web-error event:Apache-Proxy_Request_Failed srcip:$1 proto:6
NEXT
id=2813
name=This Apache webserver could not find a request script. This may indicate a web probe.
match=ent
match=rr
match= [error] [client
match=client
match=sta
match=le
match=pt
match=] script not found or unable to stat: /
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Script_Not_Found srcip:$1 proto:6
NEXT
id=2814
name=This Apache webserver encountered an undefined variable in a PHP script.
match=ent
match=[client
match=client
match=PHP
match=ar
match=ce
match=le
match=ed
match=] PHP Notice: Undefined variable:
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-PHP_Undefined_Var srcip:$1 proto:6 type:web-error
NEXT
id=2817
name=This Apache webserver encountered an undefined PHP constant.
match=ent
match=client
match=PHP
match=[client
match=sta
match=ce
match=ed
match=] PHP Notice: Use of undefined constant
match=an
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-PHP_Undefined_Constant srcip:$1 proto:6 type:web-error
NEXT
id=2818
name=This Apache webserver encountered an undefined PHP programming offset.
match=ent
match=client
match=PHP
match=[client
match=ce
match=ed
match=] PHP Notice: Undefined offset
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-PHP_Undefined_Offset srcip:$1 proto:6 type:web-error
NEXT
id=2819
name=This Apache webserver encountered an attempt to upload a file larger than what was allowed by policy.
match=ent
match=client
match=PHP
match=ize
match=[client
match=ar
match=arn
match=lo
match=ing
match=le
match=] PHP Warning: upload_max_filesize of
match=ce
match=ed
match=bytes exceeded - file [
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-PHP_Upload_Max_Filesize_Exceeded srcip:$1 proto:6 type:web-error
###
# NOTE: - ID 2820 is the start of the sql_postgres.prm ID numbering
###
NEXT
id=12820
name=This Apache webserver had a PHP fread() warning. This can indicate a programming error, but can also indicate that web application probes are occurring on your server.
match=ent
match=client
match=PHP
match=[client
match=ar
match=arn
match=ing
match=] PHP Warning: fread():
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-PHP_fread_Warning srcip:$1 proto:6 type:web-error
NEXT
id=12821
name=This Apache webserver has had an issue with its Server Side Include configuration.
match=ent
match=client
match=rem
match=ar
match=arn
match= [warn] [client
match=CL
match=ion
match=ed
match=pt
match=mod_include: Options +Includes (or IncludesNoExec) wasn't set, INCLUDES filter removed
match=IN
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-SSI_Config_Warning srcip:$1 proto:6 type:web-error
NEXT
id=12822
name=This Apache webserver was not able to find an requested PHP script. This may indicate one or more web probes.
match=ent
match=client
match=le
match=nable
match=[client
match=pt
match=] script '
match=sta
match=' not found or unable to stat
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-Script_Not_Found srcip:$1 proto:6 type:web-error
NEXT
id=12823
name=This Apache webserver was not able to fulfill an index request.
match=ent
match=client
match=PHP
match=[client
match=ce
match=ed
match=] PHP Notice: Undefined index:
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-PHP_Undefined_Index srcip:$1 proto:6 type:web-error
NEXT
id=12824
name=This Apache webserver was not able to invoke a directory as a script.
match=ent
match=rr
match= [error] [client
match=error
match=client
match=tem
match=ire
match=pt
match=] attempt to invoke directory as script:
match=ect
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-Attempt_To_Invoke_Directory_As_Script srcip:$1 proto:6 type:web-error
NEXT
id=12825
name=This Apache webserver denied access based on configured parameters.
match=ent
match=rr
match= [error] [client
match=error
match=client
match=ser
match=ion
match=ed
match=] client denied by server configuration: /
match=onfiguration
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-Client_Denied_By_Server srcip:$1 proto:6 type:web-error
NEXT
id=12827
name=This Apache webserver denied access based on configured parameters.
match=ent
match=rr
match= [error] [client
match=error
match=client
match=ion
match=ce
match=ed
match=ss
match=)Permission denied: access to /
match=acc
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-Permission_Denied srcip:$1 proto:6 type:web-error
NEXT
id=12828
name=This Apache webserver encountered a premature end to a script. This can indicate a programming error.
match=ent
match=rr
match= [error] [client
match=client
match=error
match=rem
match=pt
match=] Premature end of script headers:
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-Premature_End_Of_Script srcip:$1 proto:6 type:web-error
NEXT
id=12829
name=This Apache webserver encountered a request for a file it does not have access to. This may be a configuration issue, or a web probe which has been denied.
match=ent
match=rr
match= [error] [client
match=error
match=client
match=ire
match=ce
match=le
match=ty
match=ss
match=)No such file or directory: cannot access type map file:
match=ect
match=acc
match=an
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-No_Such_File_Or_Directory srcip:$1 proto:6 type:web-error
NEXT
id=12830
name=This Apache webserver encountered a malformed host header.
match=ent
match=client
match=rr
match=error
match= [error] [client
match=ed
match=] Client sent malformed Host header
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-Malformed_Host_Header srcip:$1 proto:6 type:web-error
NEXT
id=12831
name=This Apache webserver has a misconfiguration.
match=ent
match=rr
match= [error] [client
match=client
match=error
match=ing
match=ed
match=] Unquoted string "
match=ser
match=" may clash with future reserved word
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-Script_With_Unquoted_String srcip:$1 proto:6 type:web-error
NEXT
id=12832
name=This Apache webserver has a misconfiguration.
match=le
match=ss
match=ossible
match=ent
match=rr
match= [error] [client
match=client
match=error
match=ce
match=ed
match=ty
match=" used only once: possible typo at /
match=] Name "
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-Possible_Script_Typo srcip:$1 proto:6 type:web-error
NEXT
id=12833
name=This Apache webserver encountered a programming error.
match=ent
match=rr
match= [error] [client
match=[client
match=client
match=error
match=lo
match=le
match=ed
match=] print() on closed filehandle WH at /
match=an
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-Closed_Script_Filehandle srcip:$1 proto:6 type:web-error
NEXT
id=12834
name=This Apache webserver has received an SSLv2 request.
match=TP
match=HTTP
match= HTTP/1
match= SSLv2 DES-CBC3-MD5 "
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-DES_MD5_Connection srcip:$1 type:web-access
NEXT
id=12835
name=This Apache webserver has received an TLSv1 or SSLv3 request.
match=TP
match=HTTP
match=HTTP/1
match= DHE-RSA-
match=256
match=-SHA
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-DHE_RSA_Connection srcip:$1 type:web-access
NEXT
id=12836
name=This Apache webserver has received an RC4-MD5 request.
match=TP
match=HTTP
match= HTTP/1
match= RC4-MD5 "
regex=([0-9]+(\.[0-9]+){3}) .* RC4-MD5
log=event:Apache-MD5_Connection srcip:$1 type:web-access
NEXT
id=12837
name=This Apache webserver has received an TLSv1 request.
match=TP
match=HTTP
match= HTTP/1
match= TLSv1 AES128-SHA "
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-AES_SHA_Connection srcip:$1 type:web-access
NEXT
id=12839
name=This Apache webserver has received erroneous characters after the protocol string.
match=TP
match=HTTP
match= HTTP/1.
match= GET /
match=GET
match=rr
match=[error]
match=error
match=ail
match=le
match=ed
match=ailed
match=est
match=ol
match=ing
match=ar
match= request failed: erroneous characters after protocol string:
match=request
regex=.*\[client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\] .*\:([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+)
log=type:web-error event:Apache-Erroneous_Characters_After_Protocol srcip:$1 dstip:$2 dstport:$3
NEXT
id=12841
name=This Apache webserver encountered an undefined index in a PHP script.
match=PHP
match=tp
match=httpd
match=ce
match=ed
match=httpd: PHP Notice: Undefined index
log=event:Apache-PHP_Undefined_Index proto:6 type:web-error
NEXT
id=12842
name=This Apache webserver encountered an illegal offset type.
match=PHP
match=tp
match=httpd
match=ar
match=arn
match=ing
match=le
match=ty
match=httpd: PHP Warning: Illegal offset type in
log=event:Apache-PHP_Illegal_Offset proto:6 type:web-error
NEXT
id=12843
name=This Apache webserver denied access to a remote user who attempted to execute a command.
match=ent
match=client
match=rr
match=error
match= [error] [client
match=ion
match=ed
match=ss
match=Permission denied:
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Permission_Denied srcip:$1 proto:6
NEXT
id=12844
name=The Apache webserver has dropped a variable due to null characters not allowed withing request.
match=tp
match=httpd[
match=rr
match=[error]
match=httpd
match=error
match=est
match=lo
match=ar
match=le
match=ed
match=ALERT - ASCII-NUL chars not allowed within request variables
match=RT
match=ER
match=AL
match=request
match=dropped variable
match=pp
regex=([a-zA-Z0-9&_\.-]+) httpd\[.*\]: \[error\] ALERT - ASCII-NUL .*\(attacker .([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Apache-Alert_ASCII_NUL sensor:$1 srcip:$2 type:web-error
NEXT
id=12845
name=The Apache webserver has issued an alert for the registration of a forbidden variable.
match=tp
match=httpd[
match=rr
match=[error]
match=httpd
match=error
match=ar
match=le
match=ed
match=ALERT - tried to register forbidden variable
match=RT
match=ER
match=AL
match=through COOKIE variables
match=CO
regex=([a-zA-Z0-9&_\.-]+) httpd\[.*\]: \[error\] ALERT - tried to register forbidden variable .*\(attacker .([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=event:Apache-Alert_Forbidden_Variable sensor:$1 srcip:$2 type:web-error
NEXT
id=12846
name=The Apache has a file not found error.
match=tp
match=httpd[
match=rr
match=[error]
match=httpd
match=error
match=le
match=File does not exist:
regex=([a-zA-Z0-9&_\.-]+) httpd\[.*\]: \[error\] \[client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=event:Apache-Error_File_Not_Found sensor:$1 srcip:$2 type:web-error
NEXT
id=12847
name=The Apache web server encountered a valid web query which returned a valid code in the 200 range.
match=TP
match=HTTP
match= - [
match=] "GET
match=GET
match= HTTP/1.
match=" 2
match=!.asp
match=!.avi
match=!.bmp
match=!.cgi
match=!.doc
match=!.gif
match=!.exe
match=!.flv
match=!gz
match=!.htm
match=!.java
match=!.jpeg
match=!.jpg
match=!.js
match=!.mpg
match=!.mpeg
match=!.mpa
match=!.m4a
match=!.mp3
match=!.mp4
match=!.mov
match=!.pdf
match=!.php
match=!.pkg
match=!.png
match=!.pps
match=!.ppt
match=!.ra
match=!.ram
match=!.rar
match=!.rpm
match=!.rtf
match=!.rm
match=!.rss
match=!.swf
match=!.tar
match=!.txt
match=!.wav
match=!.wma
match=!.wmv
match=!.xls
match=!.xml
match=!.zip
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 2[0-9][0-9]
log=event:Apache-Valid_Web_GET_Request srcip:$1 type:web-access
NEXT
id=12848
name=The Apache web server encountered a valid web post which returned a valid code in the 200 range.
match=TP
match=HTTP
match= - [
match=] "POST
match=ST
match=POST
match= HTTP/1.
match=" 2
match=!.asp
match=!.avi
match=!.bmp
match=!.cgi
match=!.css
match=!.doc
match=!.gif
match=!.exe
match=!.flv
match=!gz
match=!.htm
match=!.java
match=!.jpeg
match=!.jpg
match=!.js
match=!.mpg
match=!.mpeg
match=!.mpa
match=!.m4a
match=!.mp3
match=!.mp4
match=!.mov
match=!.pdf
match=!.php
match=!.pkg
match=!.png
match=!.pps
match=!.ppt
match=!.ra
match=!.ram
match=!.rar
match=!.rpm
match=!.rtf
match=!.rm
match=!.rss
match=!.swf
match=!.tar
match=!.txt
match=!.wav
match=!.wma
match=!.wmv
match=!.xls
match=!.xml
match=!.zip
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 2[0-9][0-9]
log=event:Apache-Valid_Web_POST_Request srcip:$1 type:web-access
NEXT
id=12849
name=The Apache web server encountered a valid web query which returned a valid code in the 300 range which resulted in a client redirection.
match=TP
match=HTTP
match= - [
match=] "GET
match=GET
match= HTTP/1.
match=" 3
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 3[0-9][0-9]
log=type:web-access event:Apache-GET_Redirect srcip:$1 proto:6
NEXT
id=12850
name=The Apache web server encountered a valid web post which returned a valid code in the 300 range which resulted in a client redirection.
match=TP
match=HTTP
match= - [
match=] "POST
match=POST
match=ST
match= HTTP/1.
match=" 3
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 3[0-9][0-9]
log=type:web-access event:Apache-POST_Redirect srcip:$1 proto:6
NEXT
id=12851
name=The Apache web server encountered an invalid web request which returned an Apache error code in the 400 range.
match=TP
match=HTTP
match= - [
match=] "GET
match=GET
match= HTTP/1.
match=" 4
match=!cgi-bin
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 4[0-9][0-9]
log=type:web-error event:Apache-GET_Client_Request_Error srcip:$1 proto:6
NEXT
id=12852
name=The Apache web server encountered an invalid web post which returned an Apache error code in the 400 range.
match=TP
match=HTTP
match= - [
match=] "POST
match=POST
match=ST
match= HTTP/1.
match=" 4
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 4[0-9][0-9]
log=type:web-error event:Apache-POST_Client_Request_Error srcip:$1 proto:6
NEXT
id=12853
name=The Apache web server encountered an invalid web request which returned an Apache error code in the 500 range.
match=TP
match=HTTP
match= - [
match=] "GET
match=GET
match= HTTP/1.
match=" 5
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 5[0-9][0-9]
log=type:web-error event:Apache-GET_Server_Error srcip:$1 proto:6
NEXT
id=12854
name=The Apache web server encountered an invalid web post which returned an Apache error code in the 500 range.
match=TP
match=HTTP
match= - [
match=] "POST
match=POST
match=ST
match= HTTP/1.
match=" 5
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* 5[0-9][0-9]
log=type:web-error event:Apache-POST_Server_Error srcip:$1 proto:6
NEXT
id=12855
name=The Apache web server encountered a file name which was too long.
match=rr
match=[error]
match=ent
match=[client
match=error
match=client
match=lo
match=le
match=File name too long:
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)
log=type:web-error event:Apache-File_Name_Too_Long srcip:$1 proto:6
NEXT
id=12856
name=The Apache web server encountered a valid web query which returned a valid code in the 200 range.
match=! - - [
match=] "GET
match=GET
match=TP
match=HTTP
match= HTTP/1.
match=" 2
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 2[0-9][0-9]
log=event:Apache-Valid_Web_GET_Request srcip:$1 type:web-access user:$2
NEXT
id=12857
name=The Apache web server encountered a valid web post which returned a valid code in the 200 range.
match=! - - [
match=] "POST
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match=" 2
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,32}) .* \[[0-9].* 2[0-9][0-9]
log=event:Apache-Valid_Web_POST_Request srcip:$1 type:web-access user:$2
NEXT
id=12858
name=The Apache web server encountered a valid web query which returned a valid code in the 300 range which resulted in a client redirection.
match=! - - [
match=] "GET
match=GET
match=TP
match= HTTP/1.
match=HTTP
match=" 3
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 3[0-9][0-9]
log=type:web-access event:Apache-GET_Redirect srcip:$1 proto:6 user:$2
NEXT
id=12859
name=The Apache web server encountered a valid web post which returned a valid code in the 300 range which resulted in a client redirection.
match=! - - [
match=] "POST
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match=" 3
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 3[0-9][0-9]
log=type:web-access event:Apache-POST_Redirect srcip:$1 proto:6 user:$2
NEXT
id=12860
name=The Apache web server encountered an invalid web request which returned an Apache error code in the 400 range.
match=! - - [
match=] "GET
match=GET
match=TP
match= HTTP/1.
match=HTTP
match=" 4
match=!cgi-bin
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 4[0-9][0-9]
log=type:web-error event:Apache-GET_Client_Request_Error srcip:$1 proto:6 user:$2
NEXT
id=12861
name=The Apache web server encountered an invalid web post which returned an Apache error code in the 400 range.
match=! - - [
match=] "POST
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match=" 4
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 4[0-9][0-9]
log=type:web-error event:Apache-POST_Client_Request_Error srcip:$1 proto:6 user:$2
NEXT
id=12862
name=The Apache web server encountered an invalid web request which returned an Apache error code in the 500 range.
match=! - - [
match=] "GET
match=GET
match=TP
match= HTTP/1.
match=HTTP
match=" 5
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 5[0-9][0-9]
log=type:web-error event:Apache-GET_Server_Error srcip:$1 proto:6 user:$2
NEXT
id=12863
name=The Apache web server encountered an invalid web post which returned an Apache error code in the 500 range.
match=! - - [
match=] "POST
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match=" 5
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([^ ]{1,12}) .* \[[0-9].* 5[0-9][0-9]
log=type:web-error event:Apache-POST_Server_Error srcip:$1 proto:6 user:$2
NEXT
id=12864
name=The Apache web server has resumed normal operations.
match=ch
match=ic
match=ce
match=ti
match=ur
match=ma
match=er
match=gu
match=ac
match=ion
match=rm
match=not
match=op
match=config
match=Apache
match=configured -- resuming normal operations
log=type:application event:Apache-Web_Server_Resuming
NEXT
id=12865
name=This Apache webserver has received an TLS or SSL Diffie-Hellman Export cipher request.
match=TP
match=HTTP
match=HTTP/1
match= EXP-
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) [TSL]{3}v[.0-9]+ EXP-(?:DHE?|[AE]DH)-
log=event:Apache-DH_Export_Connection srcip:$1 type:web-access
NEXT
id=12866
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a web page rendered by a Microsoft Active Server Pages application.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.asp
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Content_ASP_Request srcip:$1
NEXT
id=12867
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an AVI video file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.avi
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Video_AVI_Request srcip:$1
NEXT
id=12868
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an BMP image file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.bmp
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Image_BMP_Request srcip:$1
NEXT
id=12869
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a web site rendered by a CGI form.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.cgi
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Content_CGI_Request srcip:$1
NEXT
id=12870
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a web site's cascading style sheet file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=ss
match=.css
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Content_CSS_Request srcip:$1
# id=12871 available
NEXT
id=12872
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Microsoft Word .doc or .docx file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.doc
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Office_DOC_DOCX_Request srcip:$1
# id=12873 available available
NEXT
id=12874
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a GIF image.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.gif
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Image_GIF_Request srcip:$1
NEXT
id=12875
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Windows executable file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.exe
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Executable_EXE_Request srcip:$1
NEXT
id=12876
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a flash video file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.flv
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Video_FLV_Request srcip:$1
NEXT
id=12877
name=This Apache web server has detected a system browsing the network via HTTP with a web request for file compressed by the Gnu Zip program.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.gz
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-File_GZ_Request srcip:$1
NEXT
id=12878
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an HTML file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.htm
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Content_HTM_HTML_Request srcip:$1
NEXT
id=12880
name=This Apache web server has detected a system browsing the network via HTTP with a web request for Java source code. This code may have been executed by the browser.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.java
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Executable_JAVA_Request srcip:$1
NEXT
id=12881
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a .jpeg image file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.jpeg
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Image_JPEG_Request srcip:$1
NEXT
id=12882
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a .jpg image file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.jpg
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Image_JPG_Request srcip:$1
NEXT
id=12883
name=This Apache web server has detected a system browsing the network via HTTP with a web request for javascript code. This code was likely executed on the downloading web browser.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.js
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Executable_JS_Request srcip:$1
NEXT
id=12884
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpg extension.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.mpg
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Video_MPG_Request srcip:$1
NEXT
id=12885
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpeg extension.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.mpeg
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Video_MPEG_Request srcip:$1
NEXT
id=12886
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG-2 audio file with a .mpa extension.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.mpa
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Audio_MPA_Request srcip:$1
NEXT
id=12887
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG-4 audio file with a .m4a extension.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.m4a
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Audio_M4A_Request srcip:$1
NEXT
id=12888
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG-3 audio file with a .mp3 extension.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.mp3
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Audio_MP3_Request srcip:$1
NEXT
id=12889
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an MPEG-4 media file with a .mp4 extension.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.mp4
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Media_MP4_Request srcip:$1
NEXT
id=12890
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an Apple Quicktime video file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.mov
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Video_MOV_Request srcip:$1
NEXT
id=12892
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an Adobe PDF or compatible file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.pdf
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Office_PDF_Request srcip:$1
NEXT
id=12893
name=This Apache web server has detected a system browsing the network via HTTP with a web request for dynamic content generates by a PHP program.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.php
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Content_PHP_Request srcip:$1
NEXT
id=12894
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Unix software package file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.pkg
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Executable_PKG_Request srcip:$1
NEXT
id=12895
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a PNG image file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.png
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Image_PNG_Request srcip:$1
NEXT
id=12896
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Microsoft .pps PowerPoint presentation file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.pps
match=pp
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Office_PPS_Request srcip:$1
NEXT
id=12897
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Microsoft .ppt PowerPoint presentation file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=pt
match=.ppt
match=pp
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache_Office_PPT_PPTX_Request srcip:$1
NEXT
id=12898
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Real Audio .ra sound file.
match=!.ram
match=!.rar
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.ra
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Audio_RA_Request srcip:$1
NEXT
id=12899
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Real Audio .ra sound file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.ram
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Audio_RAM_Request srcip:$1
NEXT
id=12900
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Roshat Archive .rar file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=ar
match=.rar
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-File_RAR_Request srcip:$1
NEXT
id=12901
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Redhat Package Manager.rpm file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.rpm
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Executable_RPM_Request srcip:$1
NEXT
id=12902
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Real Media audio or video file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.rm
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Media_RM_Request srcip:$1
NEXT
id=12903
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Rich Site Summary .rss file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=ss
match=.rss
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Content_RSS_Request srcip:$1
NEXT
id=12904
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a FLASH video file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.swf
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Media_SWF_Request srcip:$1
NEXT
id=12905
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Unix tape archive file with a .tar extension.
match=!tar.gz
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=ar
match=.tar
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-File_TAR_Request srcip:$1
NEXT
id=12907
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a gnuziped compressed Unix tar archive.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.tgz
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-File_TGZ_Request srcip:$1
NEXT
id=12908
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a gnuziped compressed Unix tar archive.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=ar
match=.tar.gz
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-File_TAR_GZ_Request srcip:$1
NEXT
id=12910
name=This Apache web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wav audio file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.wav
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Audio_WAV_Request srcip:$1
NEXT
id=12911
name=This Apache web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wma audio file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.wma
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Audio_WMA_Request srcip:$1
NEXT
id=12912
name=This Apache web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wmv video file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.wmv
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Video_WMV_Request srcip:$1
NEXT
id=12914
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an ASCII text file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.txt
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Office_TXT_Request srcip:$1
#id=12915
NEXT
id=12916
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a Rich Text Format .rtf file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.rtf
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Office_RTF_Request srcip:$1
NEXT
id=12917
name=This Apache web server has detected a system browsing the network via HTTP with a web request for an XML file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.xml
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-File_XML_Request srcip:$1
# id=12940 available
NEXT
id=12942
name=This Apache web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls or .xslx spreadsheet file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.xls
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-Office_XLS_XLSX_Request srcip:$1
NEXT
id=12944
name=This Apache web server has detected a system browsing the network via HTTP with a web request for a ZIP compressed file.
match= - [
match=TP
match= HTTP/1.
match=HTTP
match=" 2
match=.zip
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .*\[[0-9].* "(?:GET|POST).* 2[0-9][0-9]
log=type:web-access event:Apache-File_ZIP_Request srcip:$1
NEXT
id=12945
name=This Apache webserver processed a request with an invalid content length.
match=ent
match=client
match=rr
match=error
match= [error] [client
match=ont
match=] Invalid Content-Length
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Invalid_Content_Length srcip:$1 proto:6
NEXT
id=12946
name=This Apache webserver rejected a request to serve a directory.
match=ent
match=client
match=rr
match=error
match= [error] [client
match=tem
match=ire
match=ser
match=pt
match=] Attempt to serve directory:
match=ect
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Attempt_To_Serve_Directory srcip:$1 proto:6
NEXT
id=12947
name=This Apache webserver encountered a request for a CGI resource, but the ExecCGI setting was disabled. This may indicate a probe or misconfiguration.
match=io
match=th
match=off
match=cli
match=on
match=ent
match=tion
match=ff
match=direct
match=client
match=ien
match=re
match=nt
match=en
match=or
match=in
match=pt
match=ect
match=ion
match=client
match=] Options ExecCGI is off in this directory
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Invalid_ExecCGI_Request srcip:$1 proto:6
NEXT
id=12948
name=This Apache web server logged a valid HEAD event.
match="HEAD /
match=HEAD
match=AD
match=TP
match= HTTP/1.
match=HTTP
match=" 302 -
log=type:web-access event:Apache-302_Head proto:6
NEXT
id=12949
name=This Apache webserver has received an TLSv1 or SSLv3 non RSA request.
match=!RSA
match=TP
match=HTTP
match= HTTP/1
match=AES256-SHA "
regex=([0-9]+(\.[0-9]+){3})
log=event:Apache-AES256_Connection srcip:$1 type:web-access
NEXT
id=12950
name=This Apache web server logged a valid CONNECT event.
match=!POST
match=!GET
match=!HEAD
match="CONNECT
match=CO
match=TP
match= HTTP/1.
match=HTTP
match=" 302 -
log=type:web-access event:Apache-302_Connect proto:6
NEXT
id=12951
name=This Apache webserver has received an RC4-SHA request.
match=TP
match=HTTP
match= HTTP/1
match= RC4-SHA "
regex=([0-9]+(\.[0-9]+){3}) .* RC4-SHA
log=event:Apache-SHA_Connection srcip:$1 type:web-access
NEXT
id=12952
name=This Apache webserver has received an DES-CBC3-SHA request.
match=TP
match=HTTP
match= HTTP/1
match=DES-CBC3-SHA "
regex=([0-9]+(\.[0-9]+){3}) .*DES-CBC3-SHA
log=event:Apache-SHA_Connection srcip:$1 type:web-access
NEXT
id=12953
name=This Apache web server logged a 200 HEAD event.
match="HEAD /
match=HEAD
match=AD
match=TP
match= HTTP/1.
match=HTTP
match=" 200 -
regex=.*=([0-9]+(\.[0-9]+){3}).*=([0-9]+(\.[0-9]+){3})
log=type:web-access event:Apache-200_Head srcip:$1 dstip:$3 proto:6
NEXT
id=12954
name=This Apache webserver encountered an error reading the headers.
match=ent
match=client
match=rr
match= [error] [client
match=ail
match=est
match=ed
match=] request failed: error reading the headers
match=request
regex=client ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\]
log=type:web-error event:Apache-Error_Reading_Headers srcip:$1 proto:6
NEXT
id=12955
name=This Apache webserver OPTIONS.
match= - [
match=] "OPTIONS
match=HTTP/
match=200
match=OP
match=TI
match=NS
match=ON
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([A-Za-z0-9._-]+)\:([0-9]+) - \[
log=type:web-access event:Apache-Options proto:6 srcip:$1 dstip:$2 dstport:$3
NEXT
id=12956
name=This Apache webserver PROPFIND.
match= - [
match=] "PROPFIND /
match=HTTP/
match=200
match=PR
match=OP
match=FI
match=ND
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([A-Za-z0-9._-]+)\:([0-9]+) - \[
log=type:web-access event:Apache-Propfind proto:6 srcip:$1 dstip:$2 dstport:$3
NEXT
id=12957
name=This Apache webserver SEARCH.
match= - [
match=] "SEARCH /
match=HTTP/
match=200
match=SE
match=AR
match=CH
match=EA
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([A-Za-z0-9._-]+)\:([0-9]+) - \[
log=type:web-access event:Apache-Valid_Web_Search proto:6 srcip:$1 dstip:$2 dstport:$3
NEXT
id=12958
name=The Apache web server encountered a valid web query which returned a valid code in the 200 range.
match=! - [
match=] "GET
match=GET
match=TP
match=HTTP
match= HTTP/1.
match=" 2
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) ([^ ]{1,12}) \[.* (2[0-9][0-9])
log=event:Apache-Valid_Web_GET_Request srcip:$1 dstip:$2 dstport:$3 type:web-access user:$4
NEXT
id=12959
name=The Apache web server encountered an invalid web request which returned an Apache error code in the 400 range.
match=! - [
match=] "GET
match=GET
match=TP
match= HTTP/1.
match=HTTP
match=" 4
match=!cgi-bin
regex=^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) ([^ ]{1,12}) \[.* (4[0-9][0-9])
log=type:web-error event:Apache-GET_Client_Request_Error proto:6 srcip:$1 dstip:$2 dstport:$3 type:web-access user:$4
~