# LCE PRM LIBRARY
# Copyright 2006-2013 Tenable Network Security
# This library may only be used with the LCE server and may not
# be used with other products or open source projects
#
# NAME:
# Squid library
#
# DESCRIPTION:
#
# These signatures look for a variety of logs gathered by the
# Squid web proxy.
#
# Thay can be used by a Thunder server receiving SYLOG messages from 
# a squid proxy, or can be used by a Thunder Client operating
# directly on the web logs. 
#
# LAST UPDATE: $Date$

id=2825
name=The Squid web proxy has logged a cache miss. 
#note: works on all missing error codes,2**, 5**, .etc
match=TCP
match= TCP_
match= TCP_MISS/
match=!TCP_MISS/301
match=!TCP_MISS/302
match=!TCP_MISS/404
match=!TCP_MISS/401
match=!TCP_MISS/304
match=!TCP_MISS/303
match=!TCP_MISS/504
match=!TCP_MISS/204
match=!TCP_MISS/201
regex=[0-9]+\.[0-9]+.*[0-9]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .
log=type:web-access event:Squid-Cache_Miss srcip:$1 proto:6 dstport:3128

NEXT

id=2826
name=The Squid web proxy has logged a cache hit.  
match=TCP
match= TCP_
match= TCP_HIT/2
regex=[0-9]+\.[0-9]+.*[0-9]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .
log=type:web-access event:Squid-Cache_Hit srcip:$1 proto:6 dstport:3128

NEXT

# note - works for all 4** and 5** events
id=2827
name=The Squid web proxy has logged a denied web query.  
match=TCP
match= TCP_
match=EN
match= TCP_DENIED/
regex=[0-9]+\.[0-9]+.*[0-9]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .
log=type:web-error event:Squid-Proxy_Denied srcip:$1 proto:6 dstport:3128

NEXT

id=2828
name=The Squid web proxy has not been able to refresh a cached web site.
match=TCP
match= TCP_
match=CL
match=EN
match= TCP_CLIENT_REFRESH_MISS/404 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_CLIENT_REFRESH_MISS/404 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-Refresh_Miss srcip:$1 dstip:$2

NEXT

id=2829
name=The Squid web proxy has denied web access to a client. 
match=TCP
match= TCP_
match=EN
match= TCP_DENIED/403 
match= CONNECT 
match= - NONE/- 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_DENIED/403 .*CONNECT ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\:([0-9]+)
log=type:web-error event:Squid-Denied srcip:$1 dstip:$2 proto:6 dstport:$3

NEXT

id=2830
name=The Squid web proxy has logged an error.
match=squid[
match=ail
match=ailure
match=: read failure: (
match=ion
match=) Connection reset by peer
match=ect
match=onnect
match=onnection
match=peer
log=type:error event:Squid-Read_Error

NEXT

id=2831
name=The Squid web proxy has encountered an invalid header in a web transaction. 
match=squid[
match=TP
match=HTTP
match=Lo
match=tp
match=ion
match=ar
match=]: WARNING: suspicious CR characters in HTTP header {Location: http
match=IN
log=type:web-error event:Squid_HTTP_Invalid_Header

NEXT

id=2832
name=The Squid web proxy could not refresh a cached web server. 
match=TCP
match= TCP_
match= TCP_REFRESH_MISS/200 
match=200
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_REFRESH_MISS/200 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-Refresh_Miss srcip:$1 dstip:$2

NEXT

id=2833
name=The Squid web proxy had a missed cache hit. 
match=TCP
match= TCP_
match= TCP_MISS/301 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/301 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2

NEXT

id=2834
name=The Squid web proxy had a refresh hit.
match=TCP
match= TCP_
match= TCP_REFRESH_HIT/200 
match=200
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_REFRESH_HIT/200 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-Refresh_Hit srcip:$1 dstip:$2

NEXT

id=2835
name=The Squid web proxy had a cache miss.
match=TCP
match= TCP_
match= TCP_IMS_HIT/304 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_IMS_HIT/304 
log=type:web-access event:Squid-TCP_IMS_Hit srcip:$1 

NEXT

id=2837
name=The Squid web proxy had a cache miss. 
match=TCP
match= TCP_
match= TCP_MISS/30 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/30.* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2

NEXT

id=2838
name=The Squid web proxy had a cache miss. 
match=TCP
match= TCP_
match= TCP_MISS/404 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/404 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2

NEXT

id=2839
name=The Squid web proxy had a cache miss. 
match=TCP
match= TCP_
match= TCP_MISS/401 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/401 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2

NEXT

id=2840
name=The Squid web proxy had a cache miss. 
match=TCP
match= TCP_
match= TCP_MISS/304 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/304 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2

NEXT

id=2841
name=The Squid web proxy had a cache miss. 
match=TCP
match= TCP_
match= TCP_MISS/303 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/303 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2

NEXT

id=2842
name=The Squid web proxy had a cache miss. 
match=TCP
match= TCP_
match=AT
match= TCP_NEGATIVE_HIT/404
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_NEGATIVE_HIT/404
log=type:web-access event:Squid-Negative-Hit srcip:$1 

NEXT

id=2843
name=The Squid web proxy had a cache miss. 
match=TCP
match= TCP_
match= TCP_MISS/504
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/504 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2

NEXT

id=2844
name=The Squid web proxy had a cache miss. 
match=TCP
match= TCP_
match= TCP_MISS/204 
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/204 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2

NEXT

id=2845
name=The Squid web proxy had a missed cache hit.
match=TCP
match= TCP_
match= TCP_MISS/200
match=200
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS/200 .* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss srcip:$1 dstip:$2

NEXT

id=2846
name=The Squid web proxy has logged an error.
match=ed
match=ate
match=ab
match=al
match=na
match=ll
match=or
match=id
match=Squid
match=Cache
match=Terminated abnormally
log=type:error event:Squid-Error

NEXT

id=2847
name=The Squid web proxy has not been able to refresh a cached web site.
match=TCP
match= TCP_
match=CL
match=EN
match=TCP_CLIENT_REFRESH_MISS_SSL/200
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_CLIENT_REFRESH_MISS_SSL/200 .*DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-Refresh_Miss_SSL srcip:$1 dstip:$2

NEXT

id=2848
name=The Squid web proxy had a missed cache hit.
match=TCP
match= TCP_
match= TCP_MISS_SSL/
regex=.* ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_MISS_SSL/.* DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-TCP_Miss_SSL srcip:$1 dstip:$2

NEXT

id=2849
name=The Squid web proxy has not been able to refresh a cached web site.
match=TCP
match= TCP_
match=CL
match=EN
match=TCP_CLIENT_REFRESH_MISS/200
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_CLIENT_REFRESH_MISS/200 .*DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-Refresh_Miss srcip:$1 dstip:$2

NEXT

id=28501
name=The Squid web proxy has not been able to refresh a cached web site.
match=TCP
match= TCP_
match=CL
match=EN
match=TCP_CLIENT_REFRESH_MISS/500
regex=([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) TCP_CLIENT_REFRESH_MISS/500 .*DIRECT/([A-Za-z0-9.-]+)
log=type:web-access event:Squid-Refresh_Miss srcip:$1 dstip:$2