This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Alias.host Meta on Squid Parser

SambaKoita
Beginner
Beginner

‎2016-12-14 10:00 AM

Dear all , 

i have a problem with my squid parser , the Alias.host meta is filled only with the port number instead of the URL. 

when i have an url with any port assigned . for ex http  works fine , but as soon as i have a port after the url (www.test.com:443

<MESSAGE

level="6"
parse="1"
parsedefvalue="1"
tableid="82"
id1="CONNECT:01"
id2="CONNECT"
eventcategory="1204000000"
summary="NIC_B_ADDRESS_ACCOUNTING;"
content="&lt;@ec_subject:NetworkComm&gt;&lt;@ec_theme:ALM&gt;&lt;@event_time:*EVNTTIME($MSG,'%X',event_time_string)&gt;&lt;@web_domain:*URL($DOMAIN,url)&gt;&lt;@domain:*URL($DOMAIN,url)&gt;&lt;@web_host:*URL($HOST,url)&gt;&lt;@webpage:*URL($PAGE,url)&gt;&lt;@:*SYSVAL($MSGID,$ID1)&gt;&lt;@msg:*PARMVAL($MSG)&gt; &lt;event_time_string&gt;.&lt;fld20&gt; &lt;duration&gt; &lt;saddr&gt; &lt;action&gt;/&lt;resultcode&gt; &lt;sbytes&gt; &lt;web_method&gt; &lt;url&gt; &lt;username&gt; &lt;h_code&gt;/&lt;daddr&gt; &lt;content_type&gt;" />http://www.test.com:443

i have added this directive : @web_host:*URL($HOST,url) but still i get only the port number . 

Any hint ? 

Many thanks 

Preview file
79 KB
0 Likes
2 REPLIES 2

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-12-14 12:36 PM

That will require a change to the parser.  You could change it quickly by making the following change:

 

From: ; &lt;url&gt; &lt;username&gt;

To: ; &lt;url&gt;:&lt;dport&gt; &lt;username&gt;

 

If you need assistance let me know

 

Dave

SambaKoita
Beginner
Beginner
In response to DaveGlover

‎2016-12-14 01:09 PM

Hi Dave, 

Thanks for your reply , actually i updated the parser but now i no longer see the alias.host Meta for the CONNECT methode

May be i mistyped something . 

<MESSAGE
level="6"
parse="1"
parsedefvalue="1"
tableid="82"
id1="CONNECT:01"
id2="CONNECT"
eventcategory="1204000000"
summary="NIC_B_ADDRESS_ACCOUNTING;"
content="&lt;@ec_subject:NetworkComm&gt;&lt;@ec_theme:ALM&gt;&lt;@event_time:*EVNTTIME($MSG,'%X',event_time_string)&gt;&lt;@web_domain:*URL($DOMAIN,url)&gt;&lt;@domain:*URL($DOMAIN,url)&gt;&lt;@web_host:*URL($HOST,url)&gt;&lt;@webpage:*URL($PAGE,url)&gt;&lt;@:*SYSVAL($MSGID,$ID1)&gt;&lt;@msg:*PARMVAL($MSG)&gt; &lt;event_time_string&gt;.&lt;fld20&gt; &lt;duration&gt; &lt;saddr&gt; &lt;action&gt;/&lt;resultcode&gt; &lt;sbytes&gt; &lt;web_method&gt; &lt;url&gt;:&lt;dport&gt; &lt;username&gt; &lt;h_code&gt;/&lt;daddr&gt; &lt;content_type&gt;" />

 

Thanks 

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.