# THUNDER PRM LIBRARY
# Copyright 2007 Tenable Network Security
# This library may only be used with the Thunder (LCE) server and may not
# be used with other products or open source projects
#
# NAME:
# W3C Extended Log Format Library
#
# DESCRIPTION:
#
# These signatures look for logs that are logged in W3C Extended Log format.  
# Almost all well known web servers, proxies include support for logging in 
# W3C Extended Log format. In order for LCE to process these logs correctly 
# please configure your Web server or Proxy to log in W3C Extended Log format.

# LAST UPDATE: $Date$

#Fields: date time c-ip cs-username s-ip cs-method cs-uri-stem cs-uri-query sc-status sc-bytes cs-bytes time-taken cs-version cs(User-Agent) cs(Cookie) cs(Referrer)
#1998-11-19 22:48:39 206.175.82.5 - 208.201.133.173 GET /global/images/navlineboards.gif - 200 540 324 157 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+95) USERID=CustomerA;+IMPID=01234 http://yourturn.rollingstone.com/webx?98@@webx1.html 

id=4051
name=This web server logged a W3C entry for an accepted GET request.
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 202 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 202 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_GET_Accepted dstip:$2 srcip:$1

NEXT

id=4052
name=This web server logged a W3C entry for a partial info GET request.
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 203 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 203 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_GET_PartialInfo dstip:$2 srcip:$1

NEXT

id=4053
name=This web server logged a W3C entry for a GET request which had  a "No response" return code. 
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 204 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 204 [0-9]+ [0-9]+ [0-9]+ .* 
log=type:web-error event:Web_GET_NoResponse dstip:$2 srcip:$1

NEXT

id=4054
name=This web server logged a W3C entry for a bad GET request. 
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 400 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 400 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_GET_BadRequest dstip:$2 srcip:$1

NEXT

id=4055
name=This web server logged a W3C entry for an unauthorized GET request.
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 401 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 401 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_GET_UnauthorizedRequest dstip:$2 srcip:$1

NEXT

id=4056
name=This web server logged a W3C entry for a GET request for which the server logged a "payment required" code. 
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 402 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 402 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_GET_PaymentRequired dstip:$2 srcip:$1

NEXT

id=4057
name=This web server logged a W3C entry for a forbidden GET request.
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 403 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 403 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_GET_Forbidden dstip:$2 srcip:$1

NEXT

id=4058
name=This web server logged a W3C entry for a GET request for which results were "Not found".
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 404 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 404 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_GET_NotFound dstip:$2 srcip:$1

NEXT

id=4059
name=This web server logged a W3C entry for a GET request which caused a server error message.
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 500 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 500 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_GET_ServerError dstip:$2 srcip:$1

NEXT

id=4060
name=This web server logged a W3C entry for a GET request which an error was not implemented.
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 501 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 501 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_GET_ServerErrorNotImplemented dstip:$2 srcip:$1

NEXT

id=4061
name=This web server logged a W3C entry for a GET request which caused the server to replay that it was overloaded.
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 502 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 502 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_GET_ServerOverload dstip:$2 srcip:$1

NEXT

id=4062
name=This web server logged a W3C entry for a GET request which caused a timeout with a gateway. 
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match= - 503 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 503 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_GET_GTWY_Timeout dstip:$2 srcip:$1

NEXT

id=4063
name=This web server logged a W3C entry for a POST.
match= POST /
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 200 
match=200
match=!.asp -
match=!.avi -
match=!.bmp -
match=!.cgi -
match=!.css -
match=!.doc -
match=!.docx -
match=!.gif -
match=!.exe -
match=!.flv -
match=!gz -
match=!.htm -
match=!.html -
match=!.java -
match=!.jpeg -
match=!.jpg -
match=!.js -
match=!.mpg -
match=!.mpeg -
match=!.mpa -
match=!.m4a -
match=!.mp3 -
match=!.mp4 -
match=!.mov -
match=!.pdf -
match=!.php -
match=!.png -
match=!.pps -
match=!.ppt -
match=!.pptx -
match=!.ra -
match=!.ram -
match=!.rar -
match=!.rpm -
match=!.rm -
match=!.rss -
match=!.swf -
#match=!.tar -
match=!.txt -
match=!.wav -
match=!.wma -
match=!.wmv -
match=!.xls -
match=!.xml -
match=!.xlsx -
match=!.zip -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_POST_OK dstip:$2 srcip:$1

NEXT

id=4064
name=This web server logged a W3C entry for an accepted POST querry.
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 202 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 202 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_POST_Accepted dstip:$2 srcip:$1

NEXT

id=4065
name=This web server logged a W3C entry for a partial POST.
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 203 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 203 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_POST_PartialInfo dstip:$2 srcip:$1

NEXT

id=4066
name=This web server logged a W3C entry for a POST for which no response was returned from the web server. 
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 204 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 204 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_POST_NoResponse dstip:$2 srcip:$1

NEXT

id=4067
name=This web server logged a W3C entry for a POST which was interpreted to be a bad request.
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 400 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 400 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_POST_BadRequest dstip:$2 srcip:$1

NEXT

id=4068
name=This web server logged a W3C entry for a POST which was an unauthorized request.
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 401 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 401 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_POST_UnauthorizedRequest dstip:$2 srcip:$1

NEXT

id=4069
name=This web server logged a W3C entry for a POST query for which the web server responded with a "Payment required" code. 
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 402 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 402 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_POST_PaymentRequired dstip:$2 srcip:$1

NEXT

id=4070
name=This web server logged a W3C entry for a POST which was forbidden.
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 403 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 403 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_POST_Forbidden dstip:$2 srcip:$1

NEXT

id=4071
name=This web server logged a W3C entry for a POST which was "Not found".
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 404 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 404 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_POST_NotFound dstip:$2 srcip:$1

NEXT

id=4072
name=This web server logged a W3C entry for a POST for which the web server replied with an error code. 
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 500 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 500 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_POST_ServerError dstip:$2 srcip:$1

NEXT

id=4073
name=This web server logged a W3C entry for a POST which had an error in it. 
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 501 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 501 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_POST_ServerErrorNotImplemented dstip:$2 srcip:$1

NEXT

id=4074
name=This web server logged a W3C entry for a POST for which the web server replied that it was overloaded. 
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 502 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 502 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_POST_ServerOverload dstip:$2 srcip:$1

NEXT

id=4075
name=This web server logged a W3C entry for a POST which resulted in a timeout with a web gateway server. 
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match= - 503 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - 503 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_POST_GTWY_Timeout dstip:$2 srcip:$1

NEXT

id=4076
name=This web server logged a W3C entry for a valid HEAD request. 
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 200 
match=200
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_HEAD_OK dstip:$2 srcip:$1

NEXT

id=4077
name=This web server logged a W3C entry for an accepted HEAD request. 
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 202 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 202 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_HEAD_Accepted dstip:$2 srcip:$1

NEXT

id=4078
name=This web server logged a W3C entry for a partial HEAD request.
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 203 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 203 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_HEAD_PartialInfo dstip:$2 srcip:$1

NEXT

id=4079
name=This web server logged a W3C entry for a HEAD request which had no response.
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 204 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 204 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_HEAD_NoResponse dstip:$2 srcip:$1

NEXT

id=4080
name=This web server logged a W3C entry for a bad HEAD request.
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 400 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 400 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_HEAD_BadRequest dstip:$2 srcip:$1

NEXT

id=4081
name=This web server logged a W3C entry for a HEAD request whcih was uuauthorized. 
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 401 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 401 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_HEAD_UnauthorizedRequest dstip:$2 srcip:$1

NEXT

id=4082
name=This web server logged a W3C entry for a HEAD request for which the web server responded with a "Payment required" error. 
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 402 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 402 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_HEAD_PaymentRequired dstip:$2 srcip:$1

NEXT

id=4083
name=This web server logged a W3C entry for a HEAD request which was forbidden.
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 403 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 403 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_HEAD_Forbidden dstip:$2 srcip:$1

NEXT

id=4084
name=This web server logged a W3C entry for a HEAD query which was "Not found".
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 404 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 404 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_HEAD_NotFound dstip:$2 srcip:$1

NEXT

id=4085
name=This web server logged a W3C entry for a HEAD request which caused the web server to respond with a "Server Error" code. 
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 500 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 500 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_HEAD_ServerError dstip:$2 srcip:$1

NEXT

id=4086
name=This web server logged a W3C entry for a HEAD request which caused an error. 
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 501 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 501 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_HEAD_ServerErrorNotImplemented dstip:$2 srcip:$1

NEXT

id=4087
name=This web server logged a W3C entry for a HEAD request which overloaded the server.
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 502 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 502 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_HEAD_ServerOverload dstip:$2 srcip:$1

NEXT

id=4088
name=This web server logged a W3C entry for a HEAD request which was not found.
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match= - 503 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - 503 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-error event:Web_HEAD_GTWY_Timeout dstip:$2 srcip:$1

NEXT

id=4089
name=This web server logged a W3C entry for a GET request.
match= GET /
match=GET
match=TP
match= HTTP/1.
match=HTTP
match=! - 200 
match=! - 201 
match=! - 202 
match=! - 203 
match=! - 204
match=! - 400 
match=! - 401 
match=! - 402 
match=! - 403 
match=! - 404
match=! - 500 
match=! - 501 
match=! - 502 
match=! - 503 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - [0-9]+ [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_GET_Misc dstip:$2 srcip:$1

NEXT

id=4090
name=This web server logged a W3C entry for a POST request.
match= POST /
match=POST
match=ST
match=TP
match= HTTP/1.
match=HTTP
match=! - 200 
match=! - 201 
match=! - 202 
match=! - 203 
match=! - 400 
match=! - 401 
match=! - 402 
match=! - 403 
match=! - 404 
match=! - 500
match=! - 501 
match=! - 502 
match=! - 503 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) POST .* - [0-9]+ [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_POST_Misc dstip:$2 srcip:$1

NEXT

id=4091
name=This web server logged a W3C entry for a HEAD request.
match= HEAD /
match=TP
match= HTTP/1.
match=HTTP
match=! - 200 
match=! - 201 
match=! - 202 
match=! - 203 
match=! - 400 
match=! - 401 
match=! - 402 
match=! - 403 
match=! - 404 
match=! - 500
match=! - 501 
match=! - 502 
match=! - 503 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) HEAD .* - [0-9]+ [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_HEAD_Misc dstip:$2 srcip:$1

NEXT

id=4050
name=This web server logged a W3C entry for a GET request.
match=GET /
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=!.asp -
match=!.avi -
match=!.bmp -
match=!.cgi -
match=!.css -
match=!.doc -
match=!.docx -
match=!.gif -
match=!.exe -
match=!.flv -
match=!gz -
match=!.htm - 
match=!.html - 
match=!.java - 
match=!.jpeg - 
match=!.jpg - 
match=!.js -
match=!.mpg - 
match=!.mpeg - 
match=!.mpa -
match=!.m4a -
match=!.mp3 -
match=!.mp4 -
match=!.mov - 
match=!.pdf - 
match=!.php - 
match=!.png - 
match=!.pps - 
match=!.ppt - 
match=!.pptx - 
match=!.ra - 
match=!.ram - 
match=!.rar - 
match=!.rpm - 
match=!.rm - 
match=!.rss - 
match=!.swf - 
#match=!.tar - 
match=!.txt - 
match=!.wav -
match=!.wma - 
match=!.wmv -
match=!.xls -
match=!.xml -
match=!.xlsx -
match=!.zip - 
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) GET .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web_GET_Ok dstip:$2 srcip:$1

NEXT

# id=4092 available

id=4094
name=This web server has detected a system browsing the network via HTTP with a web request for a web page rendered by a Microsoft Active Server Pages application.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.asp -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Content_ASP_Request dstip:$2 srcip:$1

NEXT

id=4095
name=This web server has detected a system browsing the network via HTTP with a web request for an AVI video file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.avi -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Video_AVI_Request dstip:$2 srcip:$1

NEXT

id=4096
name=This web server has detected a system browsing the network via HTTP with a web request for an BMP image file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.bmp -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Image_BMP_Request dstip:$2 srcip:$1

NEXT

id=4097
name=This web server has detected a system browsing the network via HTTP with a web request for a web site rendered by a CGI form. 
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.cgi -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Content_CGI_Request dstip:$2 srcip:$1

NEXT

id=4098
name=This web server has detected a system browsing the network via HTTP with a web request for a web site's cascading style sheet file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=ss
match=.css -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Content_CSS_Request dstip:$2 srcip:$1

# id=4099 available

NEXT

id=4100
name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft Word .doc file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.doc -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Office_DOC_Request dstip:$2 srcip:$1

NEXT

id=4101
name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft Word .docx file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.docx -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Office_DOCX_Request dstip:$2 srcip:$1

# id=4102 available

NEXT

id=4103
name=This web server has detected a system browsing the network via HTTP with a web request for a GIF image.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.gif -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Image_GIF_Request dstip:$2 srcip:$1

NEXT

id=4104
name=This web server has detected a system browsing the network via HTTP with a web request for a Windows executable file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.exe -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Executable_EXE_Request dstip:$2 srcip:$1

NEXT

id=4105
name=This web server has detected a system browsing the network via HTTP with a web request for a flash video file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.flv -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Video_FLV_Request dstip:$2 srcip:$1

NEXT

id=4106
name=This web server has detected a system browsing the network via HTTP with a web request for file compressed by the Gnu Zip program.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.gz -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-File_GZ_Request dstip:$2 srcip:$1

NEXT

id=4107
name=This web server has detected a system browsing the network via HTTP with a web request for an HTML file. 
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.htm -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Content_HTM_Request dstip:$2 srcip:$1

NEXT

id=4108
name=This web server has detected a system browsing the network via HTTP with a web request for an HTML file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.html -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Content_HTML_Request dstip:$2 srcip:$1

# id=4109 available

NEXT

id=4110
name=This web server has detected a system browsing the network via HTTP with a web request for Java source code. This code may have been executed by the browser.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.java -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Executable_JAVA_Request dstip:$2 srcip:$1

NEXT

id=4111
name=This web server has detected a system browsing the network via HTTP with a web request for a .jpeg image file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.jpeg -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Image_JPEG_Request dstip:$2 srcip:$1

NEXT

id=4112
name=This web server has detected a system browsing the network via HTTP with a web request for a .jpg image file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.jpg -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Image_JPG_Request dstip:$2 srcip:$1

NEXT

id=4113
name=This web server has detected a system browsing the network via HTTP with a web request for javascript code. This code was likely executed on the downloading web browser.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.js -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Executable_JS_Request dstip:$2 srcip:$1

NEXT

id=4114
name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpg extension.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.mpg -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Video_MPG_Request dstip:$2 srcip:$1

NEXT

id=4115
name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG video with a .mpeg extension.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.mpeg -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Video_MPEG_Request dstip:$2 srcip:$1

NEXT

id=4116
name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG-2 audio file with a .mpa extension.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.mpa -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Audio_MPA_Request dstip:$2 srcip:$1

NEXT

id=4117
name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG-4 audio file with a .m4a extension.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.m4a -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Audio_M4A_Request dstip:$2 srcip:$1

NEXT

id=4118
name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG-3 audio file with a .mp3 extension.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.mp3 -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Audio_MP3_Request dstip:$2 srcip:$1

NEXT

id=4119
name=This web server has detected a system browsing the network via HTTP with a web request for an MPEG-4 media file with a .mp4 extension.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.mp4 -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Media_MP4_Request dstip:$2 srcip:$1

NEXT

id=4120
name=This web server has detected a system browsing the network via HTTP with a web request for an Apple Quicktime video file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.mov -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Video_MOV_Request dstip:$2 srcip:$1

NEXT

id=4122
name=This web server has detected a system browsing the network via HTTP with a web request for an Adobe PDF or compatible file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.pdf -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Office_PDF_Request dstip:$2 srcip:$1

NEXT

id=4123
name=This web server has detected a system browsing the network via HTTP with a web request for dynamic content generates by a PHP program.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.php -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Content_PHP_Request dstip:$2 srcip:$1

# id=4124 available

NEXT

id=4125
name=This web server has detected a system browsing the network via HTTP with a web request for a PNG image file. 
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.png -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Image_PNG_Request dstip:$2 srcip:$1

NEXT

id=4126
name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft .pps PowerPoint presentation file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.pps -
match=pp
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Office_PPS_Request dstip:$2 srcip:$1

NEXT

id=4127
name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft .ppt PowerPoint presentation file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=pt
match=.ppt -
match=pp
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Office_PPT_Request dstip:$2 srcip:$1

NEXT

id=4128
name=This web server has detected a system browsing the network via HTTP with a web request for a Real Audio .ram sound file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.ram -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET |POST).* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Audio_RAM_Request dstip:$2 srcip:$1

NEXT

id=4129
name=This web server has detected a system browsing the network via HTTP with a web request for a Real Audio .ra sound file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.ra -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Audio_RA_Request dstip:$2 srcip:$1

NEXT

id=4130
name=This web server has detected a system browsing the network via HTTP with a web request for a Roshal Archive .rar file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=ar
match=.rar -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-File_RAR_Request dstip:$2 srcip:$1

NEXT

id=4131
name=This web server has detected a system browsing the network via HTTP with a web request for a Redhat Package Manager .rpm file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.rpm -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Executable_RPM_Request dstip:$2 srcip:$1

NEXT

id=4132
name=This web server has detected a system browsing the network via HTTP with a web request for a Real Media audio or video file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.rm -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Media_RM_Request dstip:$2 srcip:$1

NEXT

id=4133
name=This web server has detected a system browsing the network via HTTP with a web request for a Rich Site Summary .rss file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=ss
match=.rss -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Content_RSS_Request dstip:$2 srcip:$1

NEXT

id=4134
name=This web server has detected a system browsing the network via HTTP with a web request for a FLASH video file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.swf -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Media_SWF_Request dstip:$2 srcip:$1

NEXT

id=4135
name=This web server has detected a system browsing the network via HTTP with a web request for a Unix tape archive file with a .tar extension.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=ar
match=.tar -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-File_TAR_Request dstip:$2 srcip:$1

# id=4136 available

NEXT

id=4137
name=This web server has detected a system browsing the network via HTTP with a web request for a gnuziped compressed Unix tar archive. 
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.tgz -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-File_TGZ_Request dstip:$2 srcip:$1

NEXT

id=4138
name=This web server has detected a system browsing the network via HTTP with a web request for a gnuziped compressed Unix tar archive.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=ar
match=.tar.gz -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-File_TAR_GZ_Request dstip:$2 srcip:$1

# id=4139 available
# id=4140 available

NEXT

id=41410
name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wav audio file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.wav -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Audio_WAV_Request dstip:$2 srcip:$1

NEXT

id=41411
name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wma audio file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.wma -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Audio_WMA_Request dstip:$2 srcip:$1

NEXT

id=41412
name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows .wmv video file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.wmv -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Video_WMV_Request dstip:$2 srcip:$1

NEXT

id=41413
name=This web server has detected a system browsing the network via HTTP with a web request for a Microsoft .pptx PowerPoint presentation file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=pt
match=.pptx -
match=pp
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Office_PPTX_Request dstip:$2 srcip:$1

NEXT

id=41414
name=This web server has detected a system browsing the network via HTTP with a web request for an ASCII text file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.txt -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Office_TXT_Request dstip:$2 srcip:$1

# id=41415 available
# id=41416 available

NEXT

id=41417
name=This web server has detected a system browsing the network via HTTP with a web request for an XML file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.xml -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-File_XML_Request dstip:$2 srcip:$1

NEXT

id=41418
name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls spreadsheet file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.xlsx -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Office_XLSX_Request dstip:$2 srcip:$1

NEXT

id=41419
name=This web server has detected a system browsing the network via HTTP with a web request for a ZIP compressed file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.zip -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-File_ZIP_Request dstip:$2 srcip:$1

# id=41420 available

NEXT

id=41423
name=This web server has detected a system browsing the network via HTTP with a web request for Microsoft Windows Excel .xls spreadsheet file.
match=TP
match= HTTP/1.
match=HTTP
match= - 200
match=200
match=.xls -
regex=[^ ]+ [^ ]+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) .+ ([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+) (GET|POST) .* - 200 [0-9]+ [0-9]+ [0-9]+ .*
log=type:web-access event:Web-Office_XLS_Request dstip:$2 srcip:$1