# THUNDER PRM LIBRARY
# Copyright 2007 Tenable Network Security
# This library may only be used with the Thunder (LCE) server and may not
# be used with other products or open source projects
#
# NAME:
# NCSA Common Access Log Format Library
#
# DESCRIPTION:
#
# These signatures look for logs that are logged in NCSA common access  
# log format.

# Almost all well known web servers, proxies include support for logging in 
# NCSA common access log format. In order for LCE to process these logs 
# correctly please configure your Web server or Proxy to log in NCSA common 
# access log format.

# LAST UPDATE: $Date$

#NCSA common log format : remotehost rfc931 authuser [date] "request" status bytes


id=4000
name=This NCSA common access log format indicates a valid GET request.
match=] "GET 
match=" 200
match=200
match=TP
match= HTTP/1.
match=HTTP
match= - 
match=!/sc3/console.php?psid=104 HTTP/1.1"
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 200 [0-9]+
log=type:web-access event:Web_GET_OK srcip:$1

NEXT

id=4001
name=This NCSA common access log format indicates an accepted GET request.
match=] "GET 
match=GET
match=" 202
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 202 [0-9]+
log=type:web-access event:Web_GET_Accepted srcip:$1

NEXT

id=4002
name=This NCSA common access log format indicates a partial info GET request.
match=] "GET 
match=GET
match=" 203
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 203 [0-9]+
log=type:web-access event:Web_GET_PartialInfo srcip:$1

NEXT

id=4003
name=This NCSA common access log format indicates that a GET request got no response.
match=] "GET 
match=GET
match=" 204
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 204 [0-9]+
log=type:web-access event:Web_GET_NoResponse srcip:$1

NEXT

id=4004
name=This NCSA common access log format indicates that there was a bad GET request.
match=] "GET 
match=GET
match=" 400
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 400 [0-9]+
log=type:web-error event:Web_GET_BadRequest srcip:$1

NEXT

id=4005
name=This NCSA common access log format indicates there was an unauthorized GET request.
match=] "GET 
match=GET
match=" 401
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 401 [0-9]+
log=type:web-error event:Web_GET_UnauthorizedRequest srcip:$1

NEXT

id=4006
name=This NCSA common access log format indicates there was a payment required GET request. 
match=] "GET 
match=GET
match=" 402
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 402 [0-9]+
log=type:web-access event:Web_GET_PaymentRequired srcip:$1

NEXT

id=4007
name=This NCSA common access log format indicates there was a forbidden GET request.
match=] "GET 
match=GET
match=" 403
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 403 [0-9]+
log=type:web-error event:Web_GET_Forbidden srcip:$1

NEXT

id=4008
name=This NCSA common access log format indicates that the GET request was not found.
match=] "GET 
match=GET
match=" 404
match=TP
match= HTTP/1.
match=HTTP
match= -
match=!cgi-bin
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 404 [0-9]+
log=type:web-error event:Web_GET_PageNotFound srcip:$1

NEXT

id=4009
name=This NCSA common access log format indicates that the server had an error while processing this GET request.
match=] "GET 
match=GET
match=" 500
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 500 [0-9]+
log=type:web-error event:Web_GET_ServerError srcip:$1

NEXT

id=4010
name=This NCSA common access log is not implemented on this server. 
match=] "GET 
match=GET
match=" 501
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 501 [0-9]+
log=type:web-error event:Web_GET_ServerErrorNotImplemented srcip:$1

NEXT

id=4011
name=This NCSA common access log indicates that the server is overloaded.
match=] "GET 
match=GET
match=" 502
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 502 [0-9]+
log=type:web-access event:Web_GET_ServerOverload srcip:$1

NEXT

id=4012
name=This NCSA common access log indicates that the web gateway has experienced a timeout.
match=] "GET 
match=GET
match=" 503
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 503 [0-9]+
log=type:web-access event:Web_GET_GTWY_Timeout srcip:$1

NEXT

id=4013
name=This NCSA common access log format indicates a normal POST has occurred. 
match=] "POST 
match=ST
match=" 200
match=200
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 200 [0-9]+
log=type:web-access event:Web_POST_OK srcip:$1

NEXT

id=4014
name=This NCSA common access log format indicates a web POST was accepted.
match=] "POST 
match=POST
match=ST
match=" 202
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 202 [0-9]+
log=type:web-access event:Web_POST_Accepted srcip:$1

NEXT

id=4015
name=This NCSA common access log format indicates that a web POST occurred with partial info.
match=] "POST 
match=POST
match=ST
match=" 203
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 203 [0-9]+
log=type:web-access event:Web_POST_PartialInfo srcip:$1

NEXT

id=4016
name=This NCSA common access log format indicates that a POST occurred with no response.
match=] "POST 
match=POST
match=ST
match=" 204
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 204 [0-9]+
log=type:web-access event:Web_POST_NoResponse srcip:$1

NEXT

id=4017
name=This NCSA common access log format indicates that a POST occurred with a bad request. 
match=] "POST 
match=POST
match=ST
match=" 400
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 400 [0-9]+
log=type:web-error event:Web_POST_BadRequest srcip:$1

NEXT

id=4018
name=This NCSA common access log format indicates that an unauthorized POST occurred.
match=] "POST 
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match=" 401
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 401 [0-9]+
log=type:web-error event:Web_POST_UnauthorizedRequest srcip:$1

NEXT

id=4019
name=This NCSA common access log format indicates that a POST type of "payment required" occurred.
match=] "POST 
match=POST
match=ST
match=" 402
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 402 [0-9]+
log=type:web-error event:Web_POST_PaymentRequired srcip:$1

NEXT

id=4020
name=This NCSA common access log format indicates a web POST was forbidden.
match=] "POST 
match=ST
match=POST
match=" 403
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 403 [0-9]+
log=type:web-error event:Web_POST_Forbidden srcip:$1

NEXT

id=4021
name=This NCSA common access log format indicates a POST request returned a "not found" status.
match=] "POST 
match=POST
match=ST
match=" 404
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 404 [0-9]+
log=type:web-error event:Web_POST_PageNotFound srcip:$1

NEXT

id=4022
name=This NCSA common access log format indicates a web POST caused a server error.
match=] "POST 
match=POST
match=ST
match=" 500
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 500 [0-9]+
log=type:web-error event:Web_POST_ServerError srcip:$1

NEXT

id=4023
name=This NCSA common access log message is not implemented on this server. 
match=] "POST 
match=POST
match=ST
match=" 501
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 501 [0-9]+
log=type:web-error event:Web_POST_ServerErrorNotImplemented srcip:$1

NEXT

id=4024
name=This NCSA common access log indicated that the server responded to a POST with an overloaded message.
match=] "POST 
match=POST
match=ST
match=" 502
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 502 [0-9]+
log=type:web-access event:Web_POST_ServerOverload srcip:$1

NEXT

id=4025
name=This NCSA common access log indicated the web server experienced a timeout from the gateway in response to a POST. 
match=] "POST 
match=POST
match=ST
match=" 503
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 503 [0-9]+
log=type:web-access event:Web_POST_GTWY_Timeout srcip:$1

NEXT

id=4026
name=This NCSA common access log format indicates that a web HEAD request occurred normally. 
match=] "HEAD 
match=" 200
match=200
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 200 [0-9]+
log=type:web-access event:Web_HEAD_OK srcip:$1

NEXT

id=4027
name=This NCSA common access log format indicates that a web HEAD request was accepted.
match=] "HEAD 
match=" 202
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 202 [0-9]+
log=type:web-access event:Web_HEAD_Accepted srcip:$1

NEXT

id=4028
name=This NCSA common access log format indicates that a partial HEAD request occurred.
match=] "HEAD 
match=" 203
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 203 [0-9]+
log=type:web-access event:Web_HEAD_PartialInfo srcip:$1

NEXT

id=4029
name=This NCSA common access log format indicates that a web HEAD request received no response.
match=] "HEAD 
match=" 204
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 204 [0-9]+
log=type:web-access event:Web_HEAD_NoResponse srcip:$1

NEXT

id=4030
name=This NCSA common access log format indicates that a bad HEAD request occurred.
match=] "HEAD 
match=" 400
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 400 [0-9]+
log=type:web-access event:Web_HEAD_BadRequest srcip:$1

NEXT

id=4031
name=This NCSA common access log format indicates that an unauthorized HEAD request occurred.
match=] "HEAD 
match=" 401
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 401 [0-9]+
log=type:web-error event:Web_HEAD_UnauthorizedRequest srcip:$1

NEXT

id=4032
name=This NCSA common access log format indicates that a HEAD request returned a "payment required" status. 
match=] "HEAD 
match=" 402
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 402 [0-9]+
log=type:web-error event:Web_HEAD_PaymentRequired srcip:$1

NEXT

id=4033
name=This NCSA common access log format indicates a forbidden HEAD request occurred.
match=] "HEAD 
match=" 403
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 403 [0-9]+
log=type:web-error event:Web_HEAD_Forbidden srcip:$1

NEXT

id=4034
name=This NCSA common access log format indicates that a response to a web HEAD request was "Not found"
match=] "HEAD 
match=" 404
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 404 [0-9]+
log=type:web-error event:Web_HEAD_PageNotFound srcip:$1

NEXT

id=4035
name=This NCSA common access log format indicates that the web server experienced an error while processing a HEAD request.
match=] "HEAD 
match=" 500
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 500 [0-9]+
log=type:web-error event:Web_HEAD_ServerError srcip:$1

NEXT

id=4036
name=This NCSA common access log was not implemented by this server for a web HEAD request. 
match=] "HEAD 
match=" 501
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 501 [0-9]+
log=type:web-error event:Web_HEAD_ServerErrorNotImplemented srcip:$1

NEXT

id=4037
name=This NCSA common access log indicates that the server responded with an "overloaded" message after processing this HEAD request.
match=] "HEAD 
match=" 502
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 502 [0-9]+
log=type:web-access event:Web_HEAD_ServerOverload srcip:$1

NEXT

id=4038
name=This NCSA common access log indicates that the web server reported a gateway timeout while processing a HEAD request. 
match=] "HEAD 
match=" 503
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 503 [0-9]+
log=type:web-access event:Web_HEAD_GTWY_Timeout srcip:$1

NEXT

id=4039
name=This NCSA common access log indicates that the web server created a POST message.
match=] "POST 
match=POST
match=ST
match=" 201
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 201 [0-9]+
log=type:web-access event:Web_POST_Created srcip:$1

NEXT

id=4040
name=This NCSA common access log indicates that a generic GET request occurred. 
match=] "GET 
match=GET
match= - 
match=TP
match= HTTP/1.
match=HTTP
match=!" 200
match=!" 202
match=!" 203
match=!" 204
match=!" 400
match=!" 401
match=!" 402
match=!" 403
match=!" 404
match=!" 500
match=!" 501
match=!" 502
match=!" 503
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" [0-9]+ [0-9]+
log=type:web-access event:Web_GET_Misc srcip:$1

NEXT

id=4041
name=This NCSA common access log indicates that a generic POST request occurred. 
match=] "POST 
match=POST
match=ST
match=TP
match=HTTP
match= HTTP/1.
match= - 
match=!" 200 
match=!" 201 
match=!" 202 
match=!" 203 
match=!" 204 
match=!" 400 
match=!" 401 
match=!" 402 
match=!" 403 
match=!" 404 
match=!" 500 
match=!" 501 
match=!" 502 
match=!" 503 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" [0-9]+ [0-9]+
log=type:web-access event:Web_POST_Misc srcip:$1

NEXT

id=4042
name=This NCSA common access log indicates that a generic HEAD request occurred. 
match=] "HEAD 
match=TP
match= HTTP/1.
match=HTTP
match= - 
match=!" 200 
match=!" 201 
match=!" 202 
match=!" 203 
match=!" 204 
match=!" 400 
match=!" 401 
match=!" 402 
match=!" 403 
match=!" 404 
match=!" 500 
match=!" 501 
match=!" 502 
match=!" 503 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" [0-9]+ [0-9]+
log=type:web-access event:Web_HEAD_Misc srcip:$1

NEXT

id=4043
name=This NCSA common access log indicates a 407 web connection has occurred.
match="CONNECT
match=TP
match=HTTP
match= HTTP/1.
match= - 
match=" 407
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "CONNECT
log=type:web-access event:Web_CONNECT_407 srcip:$1

NEXT

id=4044
name=This NCSA common access log indicates a 200 web connection has occurred.
match="CONNECT
match=TP
match= HTTP/1.
match=HTTP
match= - 
match=" 200
match=200
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "CONNECT
log=type:web-access event:Web_CONNECT_200 srcip:$1

NEXT

id=4045
name=This NCSA common access log indicates a 403 web connection has occurred.
match="CONNECT
match=TP
match=HTTP
match= HTTP/1.
match= - 
match=" 403
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "CONNECT
log=type:web-access event:Web_CONNECT_403 srcip:$1

NEXT

id=4046
name=This NCSA common access log format indicates that a web PUT request was accepted.
match=] PUT
match= 200
match=TP
match= HTTP/1.
match=HTTP
match= - 
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - .+\] PUT .* 200 [0-9]+
log=type:web-access event:Web_PUT_Accepted srcip:$1