# THUNDER PRM LIBRARY # Copyright 2007 Tenable Network Security # This library may only be used with the Thunder (LCE) server and may not # be used with other products or open source projects # # NAME: # NCSA Common Access Log Format Library # # DESCRIPTION: # # These signatures look for logs that are logged in NCSA common access # log format. # Almost all well known web servers, proxies include support for logging in # NCSA common access log format. In order for LCE to process these logs # correctly please configure your Web server or Proxy to log in NCSA common # access log format. # LAST UPDATE: $Date$ #NCSA common log format : remotehost rfc931 authuser [date] "request" status bytes id=4000 name=This NCSA common access log format indicates a valid GET request. match=] "GET match=" 200 match=200 match=TP match= HTTP/1. match=HTTP match= - match=!/sc3/console.php?psid=104 HTTP/1.1" regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 200 [0-9]+ log=type:web-access event:Web_GET_OK srcip:$1 NEXT id=4001 name=This NCSA common access log format indicates an accepted GET request. match=] "GET match=GET match=" 202 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 202 [0-9]+ log=type:web-access event:Web_GET_Accepted srcip:$1 NEXT id=4002 name=This NCSA common access log format indicates a partial info GET request. match=] "GET match=GET match=" 203 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 203 [0-9]+ log=type:web-access event:Web_GET_PartialInfo srcip:$1 NEXT id=4003 name=This NCSA common access log format indicates that a GET request got no response. match=] "GET match=GET match=" 204 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 204 [0-9]+ log=type:web-access event:Web_GET_NoResponse srcip:$1 NEXT id=4004 name=This NCSA common access log format indicates that there was a bad GET request. match=] "GET match=GET match=" 400 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 400 [0-9]+ log=type:web-error event:Web_GET_BadRequest srcip:$1 NEXT id=4005 name=This NCSA common access log format indicates there was an unauthorized GET request. match=] "GET match=GET match=" 401 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 401 [0-9]+ log=type:web-error event:Web_GET_UnauthorizedRequest srcip:$1 NEXT id=4006 name=This NCSA common access log format indicates there was a payment required GET request. match=] "GET match=GET match=" 402 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 402 [0-9]+ log=type:web-access event:Web_GET_PaymentRequired srcip:$1 NEXT id=4007 name=This NCSA common access log format indicates there was a forbidden GET request. match=] "GET match=GET match=" 403 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 403 [0-9]+ log=type:web-error event:Web_GET_Forbidden srcip:$1 NEXT id=4008 name=This NCSA common access log format indicates that the GET request was not found. match=] "GET match=GET match=" 404 match=TP match= HTTP/1. match=HTTP match= - match=!cgi-bin regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 404 [0-9]+ log=type:web-error event:Web_GET_PageNotFound srcip:$1 NEXT id=4009 name=This NCSA common access log format indicates that the server had an error while processing this GET request. match=] "GET match=GET match=" 500 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 500 [0-9]+ log=type:web-error event:Web_GET_ServerError srcip:$1 NEXT id=4010 name=This NCSA common access log is not implemented on this server. match=] "GET match=GET match=" 501 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 501 [0-9]+ log=type:web-error event:Web_GET_ServerErrorNotImplemented srcip:$1 NEXT id=4011 name=This NCSA common access log indicates that the server is overloaded. match=] "GET match=GET match=" 502 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 502 [0-9]+ log=type:web-access event:Web_GET_ServerOverload srcip:$1 NEXT id=4012 name=This NCSA common access log indicates that the web gateway has experienced a timeout. match=] "GET match=GET match=" 503 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" 503 [0-9]+ log=type:web-access event:Web_GET_GTWY_Timeout srcip:$1 NEXT id=4013 name=This NCSA common access log format indicates a normal POST has occurred. match=] "POST match=ST match=" 200 match=200 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 200 [0-9]+ log=type:web-access event:Web_POST_OK srcip:$1 NEXT id=4014 name=This NCSA common access log format indicates a web POST was accepted. match=] "POST match=POST match=ST match=" 202 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 202 [0-9]+ log=type:web-access event:Web_POST_Accepted srcip:$1 NEXT id=4015 name=This NCSA common access log format indicates that a web POST occurred with partial info. match=] "POST match=POST match=ST match=" 203 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 203 [0-9]+ log=type:web-access event:Web_POST_PartialInfo srcip:$1 NEXT id=4016 name=This NCSA common access log format indicates that a POST occurred with no response. match=] "POST match=POST match=ST match=" 204 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 204 [0-9]+ log=type:web-access event:Web_POST_NoResponse srcip:$1 NEXT id=4017 name=This NCSA common access log format indicates that a POST occurred with a bad request. match=] "POST match=POST match=ST match=" 400 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 400 [0-9]+ log=type:web-error event:Web_POST_BadRequest srcip:$1 NEXT id=4018 name=This NCSA common access log format indicates that an unauthorized POST occurred. match=] "POST match=POST match=ST match=TP match= HTTP/1. match=HTTP match=" 401 match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 401 [0-9]+ log=type:web-error event:Web_POST_UnauthorizedRequest srcip:$1 NEXT id=4019 name=This NCSA common access log format indicates that a POST type of "payment required" occurred. match=] "POST match=POST match=ST match=" 402 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 402 [0-9]+ log=type:web-error event:Web_POST_PaymentRequired srcip:$1 NEXT id=4020 name=This NCSA common access log format indicates a web POST was forbidden. match=] "POST match=ST match=POST match=" 403 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 403 [0-9]+ log=type:web-error event:Web_POST_Forbidden srcip:$1 NEXT id=4021 name=This NCSA common access log format indicates a POST request returned a "not found" status. match=] "POST match=POST match=ST match=" 404 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 404 [0-9]+ log=type:web-error event:Web_POST_PageNotFound srcip:$1 NEXT id=4022 name=This NCSA common access log format indicates a web POST caused a server error. match=] "POST match=POST match=ST match=" 500 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 500 [0-9]+ log=type:web-error event:Web_POST_ServerError srcip:$1 NEXT id=4023 name=This NCSA common access log message is not implemented on this server. match=] "POST match=POST match=ST match=" 501 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 501 [0-9]+ log=type:web-error event:Web_POST_ServerErrorNotImplemented srcip:$1 NEXT id=4024 name=This NCSA common access log indicated that the server responded to a POST with an overloaded message. match=] "POST match=POST match=ST match=" 502 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 502 [0-9]+ log=type:web-access event:Web_POST_ServerOverload srcip:$1 NEXT id=4025 name=This NCSA common access log indicated the web server experienced a timeout from the gateway in response to a POST. match=] "POST match=POST match=ST match=" 503 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 503 [0-9]+ log=type:web-access event:Web_POST_GTWY_Timeout srcip:$1 NEXT id=4026 name=This NCSA common access log format indicates that a web HEAD request occurred normally. match=] "HEAD match=" 200 match=200 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 200 [0-9]+ log=type:web-access event:Web_HEAD_OK srcip:$1 NEXT id=4027 name=This NCSA common access log format indicates that a web HEAD request was accepted. match=] "HEAD match=" 202 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 202 [0-9]+ log=type:web-access event:Web_HEAD_Accepted srcip:$1 NEXT id=4028 name=This NCSA common access log format indicates that a partial HEAD request occurred. match=] "HEAD match=" 203 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 203 [0-9]+ log=type:web-access event:Web_HEAD_PartialInfo srcip:$1 NEXT id=4029 name=This NCSA common access log format indicates that a web HEAD request received no response. match=] "HEAD match=" 204 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 204 [0-9]+ log=type:web-access event:Web_HEAD_NoResponse srcip:$1 NEXT id=4030 name=This NCSA common access log format indicates that a bad HEAD request occurred. match=] "HEAD match=" 400 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 400 [0-9]+ log=type:web-access event:Web_HEAD_BadRequest srcip:$1 NEXT id=4031 name=This NCSA common access log format indicates that an unauthorized HEAD request occurred. match=] "HEAD match=" 401 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 401 [0-9]+ log=type:web-error event:Web_HEAD_UnauthorizedRequest srcip:$1 NEXT id=4032 name=This NCSA common access log format indicates that a HEAD request returned a "payment required" status. match=] "HEAD match=" 402 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 402 [0-9]+ log=type:web-error event:Web_HEAD_PaymentRequired srcip:$1 NEXT id=4033 name=This NCSA common access log format indicates a forbidden HEAD request occurred. match=] "HEAD match=" 403 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 403 [0-9]+ log=type:web-error event:Web_HEAD_Forbidden srcip:$1 NEXT id=4034 name=This NCSA common access log format indicates that a response to a web HEAD request was "Not found" match=] "HEAD match=" 404 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 404 [0-9]+ log=type:web-error event:Web_HEAD_PageNotFound srcip:$1 NEXT id=4035 name=This NCSA common access log format indicates that the web server experienced an error while processing a HEAD request. match=] "HEAD match=" 500 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 500 [0-9]+ log=type:web-error event:Web_HEAD_ServerError srcip:$1 NEXT id=4036 name=This NCSA common access log was not implemented by this server for a web HEAD request. match=] "HEAD match=" 501 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 501 [0-9]+ log=type:web-error event:Web_HEAD_ServerErrorNotImplemented srcip:$1 NEXT id=4037 name=This NCSA common access log indicates that the server responded with an "overloaded" message after processing this HEAD request. match=] "HEAD match=" 502 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 502 [0-9]+ log=type:web-access event:Web_HEAD_ServerOverload srcip:$1 NEXT id=4038 name=This NCSA common access log indicates that the web server reported a gateway timeout while processing a HEAD request. match=] "HEAD match=" 503 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" 503 [0-9]+ log=type:web-access event:Web_HEAD_GTWY_Timeout srcip:$1 NEXT id=4039 name=This NCSA common access log indicates that the web server created a POST message. match=] "POST match=POST match=ST match=" 201 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" 201 [0-9]+ log=type:web-access event:Web_POST_Created srcip:$1 NEXT id=4040 name=This NCSA common access log indicates that a generic GET request occurred. match=] "GET match=GET match= - match=TP match= HTTP/1. match=HTTP match=!" 200 match=!" 202 match=!" 203 match=!" 204 match=!" 400 match=!" 401 match=!" 402 match=!" 403 match=!" 404 match=!" 500 match=!" 501 match=!" 502 match=!" 503 regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "GET .*" [0-9]+ [0-9]+ log=type:web-access event:Web_GET_Misc srcip:$1 NEXT id=4041 name=This NCSA common access log indicates that a generic POST request occurred. match=] "POST match=POST match=ST match=TP match=HTTP match= HTTP/1. match= - match=!" 200 match=!" 201 match=!" 202 match=!" 203 match=!" 204 match=!" 400 match=!" 401 match=!" 402 match=!" 403 match=!" 404 match=!" 500 match=!" 501 match=!" 502 match=!" 503 regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "POST .*" [0-9]+ [0-9]+ log=type:web-access event:Web_POST_Misc srcip:$1 NEXT id=4042 name=This NCSA common access log indicates that a generic HEAD request occurred. match=] "HEAD match=TP match= HTTP/1. match=HTTP match= - match=!" 200 match=!" 201 match=!" 202 match=!" 203 match=!" 204 match=!" 400 match=!" 401 match=!" 402 match=!" 403 match=!" 404 match=!" 500 match=!" 501 match=!" 502 match=!" 503 regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "HEAD .*" [0-9]+ [0-9]+ log=type:web-access event:Web_HEAD_Misc srcip:$1 NEXT id=4043 name=This NCSA common access log indicates a 407 web connection has occurred. match="CONNECT match=TP match=HTTP match= HTTP/1. match= - match=" 407 regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "CONNECT log=type:web-access event:Web_CONNECT_407 srcip:$1 NEXT id=4044 name=This NCSA common access log indicates a 200 web connection has occurred. match="CONNECT match=TP match= HTTP/1. match=HTTP match= - match=" 200 match=200 regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "CONNECT log=type:web-access event:Web_CONNECT_200 srcip:$1 NEXT id=4045 name=This NCSA common access log indicates a 403 web connection has occurred. match="CONNECT match=TP match=HTTP match= HTTP/1. match= - match=" 403 regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - [^ ]+ ([^"]+) "CONNECT log=type:web-access event:Web_CONNECT_403 srcip:$1 NEXT id=4046 name=This NCSA common access log format indicates that a web PUT request was accepted. match=] PUT match= 200 match=TP match= HTTP/1. match=HTTP match= - regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) - .+\] PUT .* 200 [0-9]+ log=type:web-access event:Web_PUT_Accepted srcip:$1