# LCE PRM LIBRARY # Copyright 2006-2013 Tenable Network Security # This library may only be used with the LCE server and may not # be used with other products or open source projects # # NAME: # Squid library # # DESCRIPTION: # # These signatures look for a variety of logs gathered by the # Squid web proxy. # # Thay can be used by a Thunder server receiving SYLOG messages from # a squid proxy, or can be used by a Thunder Client operating # directly on the web logs. # # LAST UPDATE: $Date$ id=2825 name=The Squid web proxy has logged a cache miss. #note: works on all missing error codes,2**, 5**, .etc match=TCP match= TCP_ match= TCP_MISS/ match=!TCP_MISS/301 match=!TCP_MISS/302 match=!TCP_MISS/404 match=!TCP_MISS/401 match=!TCP_MISS/304 match=!TCP_MISS/303 match=!TCP_MISS/504 match=!TCP_MISS/204 match=!TCP_MISS/201 regex=[0-9]+\.[0-9]+.*[0-9]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) . log=type:web-access event:Squid-Cache_Miss srcip:$1 proto:6 dstport:3128 NEXT id=2826 name=The Squid web proxy has logged a cache hit. match=TCP match= TCP_ match= TCP_HIT/2 regex=[0-9]+\.[0-9]+.*[0-9]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) . log=type:web-access event:Squid-Cache_Hit srcip:$1 proto:6 dstport:3128 NEXT # note - works for all 4** and 5** events id=2827 name=The Squid web proxy has logged a denied web query. match=TCP match= TCP_ match=EN match= TCP_DENIED/ regex=[0-9]+\.[0-9]+.*[0-9]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) . log=type:web-error event:Squid-Proxy_Denied srcip:$1 proto:6 dstport:3128 NEXT id=2828 name=The Squid web proxy has not been able to refresh a cached web site. match=TCP match= TCP_ match=CL match=EN match= TCP_CLIENT_REFRESH_MISS/404 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_CLIENT_REFRESH_MISS/404 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-Refresh_Miss srcip:$1 dstip:$2 NEXT id=2829 name=The Squid web proxy has denied web access to a client. match=TCP match= TCP_ match=EN match= TCP_DENIED/403 match= CONNECT match= - NONE/- regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_DENIED/403 .*CONNECT ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+) log=type:web-error event:Squid-Denied srcip:$1 dstip:$2 proto:6 dstport:$3 NEXT id=2830 name=The Squid web proxy has logged an error. match=squid[ match=ail match=ailure match=: read failure: ( match=ion match=) Connection reset by peer match=ect match=onnect match=onnection match=peer log=type:error event:Squid-Read_Error NEXT id=2831 name=The Squid web proxy has encountered an invalid header in a web transaction. match=squid[ match=TP match=HTTP match=Lo match=tp match=ion match=ar match=]: WARNING: suspicious CR characters in HTTP header {Location: http match=IN log=type:web-error event:Squid_HTTP_Invalid_Header NEXT id=2832 name=The Squid web proxy could not refresh a cached web server. match=TCP match= TCP_ match= TCP_REFRESH_MISS/200 match=200 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_REFRESH_MISS/200 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-Refresh_Miss srcip:$1 dstip:$2 NEXT id=2833 name=The Squid web proxy had a missed cache hit. match=TCP match= TCP_ match= TCP_MISS/301 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/301 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2 NEXT id=2834 name=The Squid web proxy had a refresh hit. match=TCP match= TCP_ match= TCP_REFRESH_HIT/200 match=200 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_REFRESH_HIT/200 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-Refresh_Hit srcip:$1 dstip:$2 NEXT id=2835 name=The Squid web proxy had a cache miss. match=TCP match= TCP_ match= TCP_IMS_HIT/304 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_IMS_HIT/304 log=type:web-access event:Squid-TCP_IMS_Hit srcip:$1 NEXT id=2837 name=The Squid web proxy had a cache miss. match=TCP match= TCP_ match= TCP_MISS/30 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/30.* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2 NEXT id=2838 name=The Squid web proxy had a cache miss. match=TCP match= TCP_ match= TCP_MISS/404 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/404 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2 NEXT id=2839 name=The Squid web proxy had a cache miss. match=TCP match= TCP_ match= TCP_MISS/401 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/401 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2 NEXT id=2840 name=The Squid web proxy had a cache miss. match=TCP match= TCP_ match= TCP_MISS/304 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/304 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2 NEXT id=2841 name=The Squid web proxy had a cache miss. match=TCP match= TCP_ match= TCP_MISS/303 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/303 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2 NEXT id=2842 name=The Squid web proxy had a cache miss. match=TCP match= TCP_ match=AT match= TCP_NEGATIVE_HIT/404 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_NEGATIVE_HIT/404 log=type:web-access event:Squid-Negative-Hit srcip:$1 NEXT id=2843 name=The Squid web proxy had a cache miss. match=TCP match= TCP_ match= TCP_MISS/504 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/504 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2 NEXT id=2844 name=The Squid web proxy had a cache miss. match=TCP match= TCP_ match= TCP_MISS/204 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/204 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2 NEXT id=2845 name=The Squid web proxy had a missed cache hit. match=TCP match= TCP_ match= TCP_MISS/200 match=200 regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/200 .* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2 NEXT id=2846 name=The Squid web proxy has logged an error. match=ed match=ate match=ab match=al match=na match=ll match=or match=id match=Squid match=Cache match=Terminated abnormally log=type:error event:Squid-Error NEXT id=2847 name=The Squid web proxy has not been able to refresh a cached web site. match=TCP match= TCP_ match=CL match=EN match=TCP_CLIENT_REFRESH_MISS_SSL/200 regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_CLIENT_REFRESH_MISS_SSL/200 .*DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-Refresh_Miss_SSL srcip:$1 dstip:$2 NEXT id=2848 name=The Squid web proxy had a missed cache hit. match=TCP match= TCP_ match= TCP_MISS_SSL/ regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS_SSL/.* DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-TCP_Miss_SSL srcip:$1 dstip:$2 NEXT id=2849 name=The Squid web proxy has not been able to refresh a cached web site. match=TCP match= TCP_ match=CL match=EN match=TCP_CLIENT_REFRESH_MISS/200 regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_CLIENT_REFRESH_MISS/200 .*DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-Refresh_Miss srcip:$1 dstip:$2 NEXT id=28501 name=The Squid web proxy has not been able to refresh a cached web site. match=TCP match= TCP_ match=CL match=EN match=TCP_CLIENT_REFRESH_MISS/500 regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_CLIENT_REFRESH_MISS/500 .*DIRECT/([A-Za-z0-9.-]+) log=type:web-access event:Squid-Refresh_Miss srcip:$1 dstip:$2