# THUNDER PRM LIBRARY # Copyright 2007 Tenable Network Security # This library may only be used with the Thunder (LCE) server and may not # be used with other products or open source projects # # NAME: # W3C Extended Log Format Library # # DESCRIPTION: # # These signatures look for logs that are logged in W3C Extended Log format. # Almost all well known web servers, proxies include support for logging in # W3C Extended Log format. In order for LCE to process these logs correctly # please configure your Web server or Proxy to log in W3C Extended Log format. # LAST UPDATE: $Date$ #Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs-version cs(User-Agent) cs(Cookie) cs(Referrer) #1998-11-19 22:48:39 206.175.82.5 - 208.201.133.173 GET /global/images/navlineboards.gif - 200 540 324 157 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+95) USERID=CustomerA;+IMPID=01234 http://yourturn.rollingstone.com/webx?98@@webx1.html id=4051 name=This web server logged a W3C entry for an accepted GET request. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 202 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 202 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_GET_Accepted dstip:$2 srcip:$1 NEXT id=4052 name=This web server logged a W3C entry for a partial info GET request. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 203 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 203 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_GET_PartialInfo dstip:$2 srcip:$1 NEXT id=4053 name=This web server logged a W3C entry for a GET request which had a "No response" return code. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 204 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 204 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_GET_NoResponse dstip:$2 srcip:$1 NEXT id=4054 name=This web server logged a W3C entry for a bad GET request. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 400 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 400 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_GET_BadRequest dstip:$2 srcip:$1 NEXT id=4055 name=This web server logged a W3C entry for an unauthorized GET request. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 401 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 401 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_GET_UnauthorizedRequest dstip:$2 srcip:$1 NEXT id=4056 name=This web server logged a W3C entry for a GET request for which the server logged a "payment required" code. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 402 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 402 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_GET_PaymentRequired dstip:$2 srcip:$1 NEXT id=4057 name=This web server logged a W3C entry for a forbidden GET request. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 403 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 403 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_GET_Forbidden dstip:$2 srcip:$1 NEXT id=4058 name=This web server logged a W3C entry for a GET request for which results were "Not found". match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 404 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 404 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_GET_NotFound dstip:$2 srcip:$1 NEXT id=4059 name=This web server logged a W3C entry for a GET request which caused a server error message. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 500 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 500 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_GET_ServerError dstip:$2 srcip:$1 NEXT id=4060 name=This web server logged a W3C entry for a GET request which an error was not implemented. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 501 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 501 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_GET_ServerErrorNotImplemented dstip:$2 srcip:$1 NEXT id=4061 name=This web server logged a W3C entry for a GET request which caused the server to replay that it was overloaded. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 502 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 502 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_GET_ServerOverload dstip:$2 srcip:$1 NEXT id=4062 name=This web server logged a W3C entry for a GET request which caused a timeout with a gateway. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match= - 503 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 503 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_GET_GTWY_Timeout dstip:$2 srcip:$1 NEXT id=4063 name=This web server logged a W3C entry for a POST. match= POST / match=ST match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=!.asp - match=!.avi - match=!.bmp - match=!.cgi - match=!.css - match=!.doc - match=!.docx - match=!.gif - match=!.exe - match=!.flv - match=!gz - match=!.htm - match=!.html - match=!.java - match=!.jpeg - match=!.jpg - match=!.js - match=!.mpg - match=!.mpeg - match=!.mpa - match=!.m4a - match=!.mp3 - match=!.mp4 - match=!.mov - match=!.pdf - match=!.php - match=!.png - match=!.pps - match=!.ppt - match=!.pptx - match=!.ra - match=!.ram - match=!.rar - match=!.rpm - match=!.rm - match=!.rss - match=!.swf - #match=!.tar - match=!.txt - match=!.wav - match=!.wma - match=!.wmv - match=!.xls - match=!.xml - match=!.xlsx - match=!.zip - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_POST_OK dstip:$2 srcip:$1 NEXT id=4064 name=This web server logged a W3C entry for an accepted POST querry. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 202 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 202 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_POST_Accepted dstip:$2 srcip:$1 NEXT id=4065 name=This web server logged a W3C entry for a partial POST. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 203 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 203 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_POST_PartialInfo dstip:$2 srcip:$1 NEXT id=4066 name=This web server logged a W3C entry for a POST for which no response was returned from the web server. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 204 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 204 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_POST_NoResponse dstip:$2 srcip:$1 NEXT id=4067 name=This web server logged a W3C entry for a POST which was interpreted to be a bad request. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 400 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 400 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_POST_BadRequest dstip:$2 srcip:$1 NEXT id=4068 name=This web server logged a W3C entry for a POST which was an unauthorized request. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 401 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 401 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_POST_UnauthorizedRequest dstip:$2 srcip:$1 NEXT id=4069 name=This web server logged a W3C entry for a POST query for which the web server responded with a "Payment required" code. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 402 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 402 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_POST_PaymentRequired dstip:$2 srcip:$1 NEXT id=4070 name=This web server logged a W3C entry for a POST which was forbidden. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 403 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 403 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_POST_Forbidden dstip:$2 srcip:$1 NEXT id=4071 name=This web server logged a W3C entry for a POST which was "Not found". match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 404 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 404 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_POST_NotFound dstip:$2 srcip:$1 NEXT id=4072 name=This web server logged a W3C entry for a POST for which the web server replied with an error code. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 500 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 500 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_POST_ServerError dstip:$2 srcip:$1 NEXT id=4073 name=This web server logged a W3C entry for a POST which had an error in it. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 501 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 501 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_POST_ServerErrorNotImplemented dstip:$2 srcip:$1 NEXT id=4074 name=This web server logged a W3C entry for a POST for which the web server replied that it was overloaded. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 502 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 502 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_POST_ServerOverload dstip:$2 srcip:$1 NEXT id=4075 name=This web server logged a W3C entry for a POST which resulted in a timeout with a web gateway server. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match= - 503 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 503 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_POST_GTWY_Timeout dstip:$2 srcip:$1 NEXT id=4076 name=This web server logged a W3C entry for a valid HEAD request. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 200 match=200 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_HEAD_OK dstip:$2 srcip:$1 NEXT id=4077 name=This web server logged a W3C entry for an accepted HEAD request. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 202 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 202 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_HEAD_Accepted dstip:$2 srcip:$1 NEXT id=4078 name=This web server logged a W3C entry for a partial HEAD request. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 203 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 203 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_HEAD_PartialInfo dstip:$2 srcip:$1 NEXT id=4079 name=This web server logged a W3C entry for a HEAD request which had no response. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 204 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 204 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_HEAD_NoResponse dstip:$2 srcip:$1 NEXT id=4080 name=This web server logged a W3C entry for a bad HEAD request. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 400 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 400 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_HEAD_BadRequest dstip:$2 srcip:$1 NEXT id=4081 name=This web server logged a W3C entry for a HEAD request whcih was uuauthorized. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 401 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 401 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_HEAD_UnauthorizedRequest dstip:$2 srcip:$1 NEXT id=4082 name=This web server logged a W3C entry for a HEAD request for which the web server responded with a "Payment required" error. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 402 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 402 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_HEAD_PaymentRequired dstip:$2 srcip:$1 NEXT id=4083 name=This web server logged a W3C entry for a HEAD request which was forbidden. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 403 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 403 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_HEAD_Forbidden dstip:$2 srcip:$1 NEXT id=4084 name=This web server logged a W3C entry for a HEAD query which was "Not found". match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 404 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 404 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_HEAD_NotFound dstip:$2 srcip:$1 NEXT id=4085 name=This web server logged a W3C entry for a HEAD request which caused the web server to respond with a "Server Error" code. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 500 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 500 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_HEAD_ServerError dstip:$2 srcip:$1 NEXT id=4086 name=This web server logged a W3C entry for a HEAD request which caused an error. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 501 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 501 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_HEAD_ServerErrorNotImplemented dstip:$2 srcip:$1 NEXT id=4087 name=This web server logged a W3C entry for a HEAD request which overloaded the server. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 502 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 502 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_HEAD_ServerOverload dstip:$2 srcip:$1 NEXT id=4088 name=This web server logged a W3C entry for a HEAD request which was not found. match= HEAD / match=TP match= HTTP/1. match=HTTP match= - 503 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 503 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-error event:Web_HEAD_GTWY_Timeout dstip:$2 srcip:$1 NEXT id=4089 name=This web server logged a W3C entry for a GET request. match= GET / match=GET match=TP match= HTTP/1. match=HTTP match=! - 200 match=! - 201 match=! - 202 match=! - 203 match=! - 204 match=! - 400 match=! - 401 match=! - 402 match=! - 403 match=! - 404 match=! - 500 match=! - 501 match=! - 502 match=! - 503 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - [0-9]+ [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_GET_Misc dstip:$2 srcip:$1 NEXT id=4090 name=This web server logged a W3C entry for a POST request. match= POST / match=POST match=ST match=TP match= HTTP/1. match=HTTP match=! - 200 match=! - 201 match=! - 202 match=! - 203 match=! - 400 match=! - 401 match=! - 402 match=! - 403 match=! - 404 match=! - 500 match=! - 501 match=! - 502 match=! - 503 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - [0-9]+ [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_POST_Misc dstip:$2 srcip:$1 NEXT id=4091 name=This web server logged a W3C entry for a HEAD request. match= HEAD / match=TP match= HTTP/1. match=HTTP match=! - 200 match=! - 201 match=! - 202 match=! - 203 match=! - 400 match=! - 401 match=! - 402 match=! - 403 match=! - 404 match=! - 500 match=! - 501 match=! - 502 match=! - 503 regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - [0-9]+ [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_HEAD_Misc dstip:$2 srcip:$1 NEXT id=4050 name=This web server logged a W3C entry for a GET request. match=GET / match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=!.asp - match=!.avi - match=!.bmp - match=!.cgi - match=!.css - match=!.doc - match=!.docx - match=!.gif - match=!.exe - match=!.flv - match=!gz - match=!.htm - match=!.html - match=!.java - match=!.jpeg - match=!.jpg - match=!.js - match=!.mpg - match=!.mpeg - match=!.mpa - match=!.m4a - match=!.mp3 - match=!.mp4 - match=!.mov - match=!.pdf - match=!.php - match=!.png - match=!.pps - match=!.ppt - match=!.pptx - match=!.ra - match=!.ram - match=!.rar - match=!.rpm - match=!.rm - match=!.rss - match=!.swf - #match=!.tar - match=!.txt - match=!.wav - match=!.wma - match=!.wmv - match=!.xls - match=!.xml - match=!.xlsx - match=!.zip - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web_GET_Ok dstip:$2 srcip:$1 NEXT # id=4092 available id=4094 name=This web server has detected a system browsing the network via HTTP with a web request for a web page rendered by a Microsoft Active Server Pages application. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.asp - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Content_ASP_Request dstip:$2 srcip:$1 NEXT id=4095 name=This web server has detected a system browsing the network via HTTP with a web request for an AVI video file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.avi - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Video_AVI_Request dstip:$2 srcip:$1 NEXT id=4096 name=This web server has detected a system browsing the network via HTTP with a web request for an BMP image file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.bmp - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Image_BMP_Request dstip:$2 srcip:$1 NEXT id=4097 name=This web server has detected a system browsing the network via HTTP with a web request for a web site rendered by a CGI form. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.cgi - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Content_CGI_Request dstip:$2 srcip:$1 NEXT id=4098 name=This web server has detected a system browsing the network via HTTP with a web request for a web site's cascading style sheet file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=ss match=.css - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Content_CSS_Request dstip:$2 srcip:$1 # id=4099 available NEXT id=4100 name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft Word .doc file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.doc - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Office_DOC_Request dstip:$2 srcip:$1 NEXT id=4101 name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft Word .docx file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.docx - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Office_DOCX_Request dstip:$2 srcip:$1 # id=4102 available NEXT id=4103 name=This web server has detected a system browsing the network via HTTP with a web request for a GIF image. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.gif - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Image_GIF_Request dstip:$2 srcip:$1 NEXT id=4104 name=This web server has detected a system browsing the network via HTTP with a web request for a Windows executable file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.exe - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Executable_EXE_Request dstip:$2 srcip:$1 NEXT id=4105 name=This web server has detected a system browsing the network via HTTP with a web request for a flash video file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.flv - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Video_FLV_Request dstip:$2 srcip:$1 NEXT id=4106 name=This web server has detected a system browsing the network via HTTP with a web request for file compressed by the Gnu Zip program. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.gz - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-File_GZ_Request dstip:$2 srcip:$1 NEXT id=4107 name=This web server has detected a system browsing the network via HTTP with a web request for an HTML file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.htm - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Content_HTM_Request dstip:$2 srcip:$1 NEXT id=4108 name=This web server has detected a system browsing the network via HTTP with a web request for an HTML file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.html - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Content_HTML_Request dstip:$2 srcip:$1 # id=4109 available NEXT id=4110 name=This web server has detected a system browsing the network via HTTP with a web request for Java source code. This code may have been executed by the browser. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.java - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Executable_JAVA_Request dstip:$2 srcip:$1 NEXT id=4111 name=This web server has detected a system browsing the network via HTTP with a web request for a .jpeg image file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.jpeg - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Image_JPEG_Request dstip:$2 srcip:$1 NEXT id=4112 name=This web server has detected a system browsing the network via HTTP with a web request for a .jpg image file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.jpg - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Image_JPG_Request dstip:$2 srcip:$1 NEXT id=4113 name=This web server has detected a system browsing the network via HTTP with a web request for javascript code. This code was likely executed on the downloading web browser. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.js - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Executable_JS_Request dstip:$2 srcip:$1 NEXT id=4114 name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpg extension. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.mpg - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Video_MPG_Request dstip:$2 srcip:$1 NEXT id=4115 name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpeg extension. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.mpeg - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Video_MPEG_Request dstip:$2 srcip:$1 NEXT id=4116 name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG-2 audio file with a .mpa extension. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.mpa - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Audio_MPA_Request dstip:$2 srcip:$1 NEXT id=4117 name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG-4 audio file with a .m4a extension. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.m4a - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Audio_M4A_Request dstip:$2 srcip:$1 NEXT id=4118 name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG-3 audio file with a .mp3 extension. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.mp3 - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Audio_MP3_Request dstip:$2 srcip:$1 NEXT id=4119 name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG-4 media file with a .mp4 extension. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.mp4 - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Media_MP4_Request dstip:$2 srcip:$1 NEXT id=4120 name=This web server has detected a system browsing the network via HTTP with a web request for an Apple Quicktime video file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.mov - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Video_MOV_Request dstip:$2 srcip:$1 NEXT id=4122 name=This web server has detected a system browsing the network via HTTP with a web request for an Adobe PDF or compatible file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.pdf - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Office_PDF_Request dstip:$2 srcip:$1 NEXT id=4123 name=This web server has detected a system browsing the network via HTTP with a web request for dynamic content generates by a PHP program. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.php - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Content_PHP_Request dstip:$2 srcip:$1 # id=4124 available NEXT id=4125 name=This web server has detected a system browsing the network via HTTP with a web request for a PNG image file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.png - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Image_PNG_Request dstip:$2 srcip:$1 NEXT id=4126 name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft .pps PowerPoint presentation file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.pps - match=pp regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Office_PPS_Request dstip:$2 srcip:$1 NEXT id=4127 name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft .ppt PowerPoint presentation file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=pt match=.ppt - match=pp regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Office_PPT_Request dstip:$2 srcip:$1 NEXT id=4128 name=This web server has detected a system browsing the network via HTTP with a web request for a Real Audio .ram sound file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.ram - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET |POST).* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Audio_RAM_Request dstip:$2 srcip:$1 NEXT id=4129 name=This web server has detected a system browsing the network via HTTP with a web request for a Real Audio .ra sound file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.ra - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Audio_RA_Request dstip:$2 srcip:$1 NEXT id=4130 name=This web server has detected a system browsing the network via HTTP with a web request for a Roshal Archive .rar file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=ar match=.rar - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-File_RAR_Request dstip:$2 srcip:$1 NEXT id=4131 name=This web server has detected a system browsing the network via HTTP with a web request for a Redhat Package Manager .rpm file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.rpm - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Executable_RPM_Request dstip:$2 srcip:$1 NEXT id=4132 name=This web server has detected a system browsing the network via HTTP with a web request for a Real Media audio or video file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.rm - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Media_RM_Request dstip:$2 srcip:$1 NEXT id=4133 name=This web server has detected a system browsing the network via HTTP with a web request for a Rich Site Summary .rss file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=ss match=.rss - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Content_RSS_Request dstip:$2 srcip:$1 NEXT id=4134 name=This web server has detected a system browsing the network via HTTP with a web request for a FLASH video file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.swf - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Media_SWF_Request dstip:$2 srcip:$1 NEXT id=4135 name=This web server has detected a system browsing the network via HTTP with a web request for a Unix tape archive file with a .tar extension. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=ar match=.tar - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-File_TAR_Request dstip:$2 srcip:$1 # id=4136 available NEXT id=4137 name=This web server has detected a system browsing the network via HTTP with a web request for a gnuziped compressed Unix tar archive. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.tgz - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-File_TGZ_Request dstip:$2 srcip:$1 NEXT id=4138 name=This web server has detected a system browsing the network via HTTP with a web request for a gnuziped compressed Unix tar archive. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=ar match=.tar.gz - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-File_TAR_GZ_Request dstip:$2 srcip:$1 # id=4139 available # id=4140 available NEXT id=41410 name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wav audio file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.wav - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Audio_WAV_Request dstip:$2 srcip:$1 NEXT id=41411 name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wma audio file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.wma - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Audio_WMA_Request dstip:$2 srcip:$1 NEXT id=41412 name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wmv video file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.wmv - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Video_WMV_Request dstip:$2 srcip:$1 NEXT id=41413 name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft .pptx PowerPoint presentation file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=pt match=.pptx - match=pp regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Office_PPTX_Request dstip:$2 srcip:$1 NEXT id=41414 name=This web server has detected a system browsing the network via HTTP with a web request for an ASCII text file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.txt - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Office_TXT_Request dstip:$2 srcip:$1 # id=41415 available # id=41416 available NEXT id=41417 name=This web server has detected a system browsing the network via HTTP with a web request for an XML file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.xml - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-File_XML_Request dstip:$2 srcip:$1 NEXT id=41418 name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls spreadsheet file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.xlsx - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Office_XLSX_Request dstip:$2 srcip:$1 NEXT id=41419 name=This web server has detected a system browsing the network via HTTP with a web request for a ZIP compressed file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.zip - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-File_ZIP_Request dstip:$2 srcip:$1 # id=41420 available NEXT id=41423 name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls spreadsheet file. match=TP match= HTTP/1. match=HTTP match= - 200 match=200 match=.xls - regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .* log=type:web-access event:Web-Office_XLS_Request dstip:$2 srcip:$1