Squid

Use the IBM® QRadar® Custom Properties for Squid to closely monitor your Squid Web Proxy deployment.

Important: To avoid content errors in this content extension, keep the associated DSMs up to date. DSMs are updated as part of the automatic updates. If automatic updates are not enabled, download the most recent version of the associated DSMs from IBM Fix Central (https://www.ibm.com/support/fixcentral).

IBM Security QRadar Custom Properties for Squid V1.0.2
IBM Security QRadar Custom Properties for Squid V1.0.1
IBM Security QRadar Custom Properties for Squid V1.0.0

IBM Security QRadar Custom Properties for Squid V1.0.2

The following table shows the custom properties updated in IBM Security QRadar Custom Properties for Squid V1.0.2.

Table 1. Custom Properties in IBM Security QRadar Custom Properties for Squid V1.0.1
Name	Optimized	Capture Group	Regex
BytesReceived	Yes	1	(\d+)\s(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)

The URL custom property was given a new ID, to avoid a conflict with custom properties with the same name from other content extensions.

_{(Back to top)}

IBM Security QRadar Custom Properties for Squid V1.0.1

The following table shows the custom properties in IBM Security QRadar Custom Properties for Squid V1.0.1.

Table 2. Custom Properties in IBM Security QRadar Custom Properties for Squid V1.0.1
Name	Optimized	Capture Group	Regex
URL	Yes	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s([^\;\s]+)
URL Scheme	No	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s([^\;\s\/]*?):\/\/
UrlHost	Yes	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)?(?:www\.)?([^\s\;\/:\,\"]+)
URL Path	No	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\/]+\/([^\;\s\?]+)
Filename	Yes	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/([^\;\s\?]+\.[^\;\s\?]+)
File Extension	Yes	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\/[^\;\s\?]+\.([^\;\s\?]+)
URL Query String	No	1	(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s(?:[^\;\s\/]*?:\/\/)[^\;\s\?]+\?([^\;\s]+)
Method	No	1	(GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)\s
Content type	No	1	\/\d{3}(?:\s[\w\/\.\-\:\?\&\=]*){5}\s(.{2,})
BytesReceived	No	1	(\d+)\s(?:GET\|POST\|CONNECT\|TUNNEL\|HEAD\|PUT\|DELETE)

_{(Back to top)}

IBM Security QRadar Custom Properties for Squid V1.0.0

The following table shows the custom properties in IBM Security QRadar Custom Properties for Squid V1.0.0.

Table 3. Custom Properties in IBM Security QRadar Custom Properties for Squid V1.0.0
Name	Regex
HTTP Status Code	\/(\d{3})\s+
Method	(GET\|POST\|CONNECT\|TUNNEL)\s
URL	CONNECT\s+(\w+\.\w+\.\w+): (http\|ftp\|tcp\|https):\/\/(.+?)\s

_{(Back to top)}