RSA NetWitness^® Platform Discussions

SambaKoita · ‎2016-12-14

Dear all ,

i have a problem with my squid parser , the Alias.host meta is filled only with the port number instead of the URL.

when i have an url with any port assigned . for ex http works fine , but as soon as i have a port after the url (www.test.com:443)

<MESSAGE

level="6"
parse="1"
parsedefvalue="1"
tableid="82"
id1="CONNECT:01"
id2="CONNECT"
eventcategory="1204000000"
summary="NIC_B_ADDRESS_ACCOUNTING;"
content="<@ec_subject:NetworkComm><@ec_theme:ALM><@event_time:*EVNTTIME($MSG,'%X',event_time_string)><@web_domain:*URL($DOMAIN,url)><@domain:*URL($DOMAIN,url)><@web_host:*URL($HOST,url)><@webpage:*URL($PAGE,url)><@:*SYSVAL($MSGID,$ID1)><@msg:*PARMVAL($MSG)> <event_time_string>.<fld20> <duration> <saddr> <action>/<resultcode> <sbytes> <web_method> <url> <username> <h_code>/<daddr> <content_type>" />http://www.test.com:443

i have added this directive : @web_host:*URL($HOST,url) but still i get only the port number .

Any hint ?

Many thanks

DaveGlover · ‎2016-12-14

That will require a change to the parser. You could change it quickly by making the following change:

From: ; <url> <username>

To: ; <url>:<dport> <username>

If you need assistance let me know

Dave

SambaKoita · ‎2016-12-14

Hi Dave,

Thanks for your reply , actually i updated the parser but now i no longer see the alias.host Meta for the CONNECT methode

May be i mistyped something .

Thanks

RSA NetWitness® Platform Discussions

Alias.host Meta on Squid Parser

RSA NetWitness^® Platform Discussions