All Apps and Add-ons

Splunk Add-on for Symantec Blue Coat ProxySG: Why won't it take into account url field with non-standard port?

vvanlier
New Member

Hello,

When the cs_uri field is not present in the log, the url field is evaluated from cs_uri_scheme, cs_host, cs_uri_path  and cs_uri_query. 
But it does not take in account the cs_uri_port in case the url use a non standard port.
For instance, if the real URL is http://somesite:8080/foo/bar, the TA will compute the url field as http://somesite/foo/bar.

To solve this for the most common protocols (http, https with and w/o interception, ftp & rtsp), the line 
EVAL-url = coalesce(cs_uri, if(isnull(cs_uri_scheme) OR (cs_uri_scheme=="-"), "", cs_uri_scheme+"://") + cs_host + cs_uri_path + if(isnull(cs_uri_query) OR (cs_uri_query == "-"), "", cs_uri_query))
should be replaced by 
EVAL-url = coalesce(cs_uri, if(isnull(cs_uri_scheme) OR (cs_uri_scheme=="-"), "", cs_uri_scheme+"://") + cs_host + if((cs_uri_scheme=="http" AND cs_uri_port!=80) OR (cs_uri_scheme IN ("https","ssl") AND cs_uri_port!=443) OR (cs_uri_scheme="tcp" AND cs_method="CONNECT" AND cs_uri_port!="443") OR (cs_uri_scheme="ftp" AND cs_uri_port!=21) OR (cs_uri_scheme=="rtsp" AND cs_uri_port!=554),":".cs_uri_port,"") + cs_uri_path + if(isnull(cs_uri_query) OR (cs_uri_query == "-"), "", cs_uri_query))

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...