Squid

Use the IBM® QRadar® Custom Properties for Squid to closely monitor your Squid Web Proxy deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Squid 1.0.4
IBM Security QRadar Custom Properties for Squid 1.0.3
IBM Security QRadar Custom Properties for Squid V1.0.2
IBM Security QRadar Custom Properties for Squid V1.0.1
IBM Security QRadar Custom Properties for Squid V1.0.0

IBM Security QRadar Custom Properties for Squid 1.0.4

The HTTP Status code custom property is removed in IBM Security QRadar Custom Properties for Squid 1.0.4.

IBM Security QRadar Custom Properties for Squid 1.0.3

The following table shows the new custom properties in IBM Security QRadar Custom Properties for Squid 1.0.3.

Table 1. Custom Properties in IBM Security QRadar Custom Properties for Squid 1.0.3
Name	Optimized	Capture Group	Regex
Response Code	No	1	\/(\d{3})\s+

The HTTP Status Code custom property is deprecated. The new Response Code custom property can be used instead.

IBM Security QRadar Custom Properties for Squid V1.0.2

The following table shows the custom properties that are updated in IBM Security QRadar Custom Properties for Squid V1.0.2.

Table 2. Custom Properties in IBM Security QRadar Custom Properties for Squid V1.0.2
Name	Optimized	Capture Group	Regex
BytesReceived	Yes	1	(\d+)\s(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)

The URL custom property was given a new ID, to avoid a conflict with custom properties with the same name from other content extensions.

_{(Back to top)}

IBM Security QRadar Custom Properties for Squid V1.0.1

The following table shows the custom properties in IBM Security QRadar Custom Properties for Squid V1.0.1.

Table 3. Custom Properties in IBM Security QRadar Custom Properties for Squid V1.0.1
Name	Optimized	Capture Group	Regex
URL	Yes	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s([^\;\s]+)
URL Scheme	No	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s([^\;\s\/]*?):\/\/
UrlHost	Yes	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)?(?:www\.)?([^\s\;\/:\,\"]+)
URL Path	No	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\/]+\/([^\;\s\?]+)
Filename	Yes	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/([^\;\s\?]+\.[^\;\s\?]+)
File Extension	Yes	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/[^\;\s\?]+\.([^\;\s\?]+)
URL Query String	No	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\?([^\;\s]+)
Method	No	1	(GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s
Content type	No	1	\/\d{3}(?:\s[\w\/\.\-\:\?\&\=]*){5}\s(.{2,})
BytesReceived	No	1	(\d+)\s(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)

_{(Back to top)}

IBM Security QRadar Custom Properties for Squid V1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Squid V1.0.0.

Table 4. Custom Properties in IBM Security QRadar Custom Properties for Squid V1.0.0
Name	Regex
HTTP Status Code	\/(\d{3})\s+
Method	(GET\|POST\|CONNECT\|TUNNEL)\s
URL	CONNECT\s+(\w+\.\w+\.\w+): (http\|ftp\|tcp\|https):\/\/(.+?)\s

_{(Back to top)}