Lightsquid ssl

MMapplebeck

Good day everyone,

I am currently using squid for our proxy, and recently decided to use WPAD/PAC to also capture HTTPS traffic. I am having one very annoying issue with lightsquid, and wondering if anybody has any insight.

All my lightsquid information looks like the attached image. It also does not consolidate the first part of the domain name(even this would be fine, so that I can differentiate HTTPS traffic, as long as subdomains are combined)

I have been modifying my lightparser.pl file to consolidate subdomains, however, this is only working for HTTP traffic, as all HTTPS sites are showing the port number like mail.google.ca:443
The code I am using is:
$url =~ s/([a-z]+://)??..(google.)/$2/o;

Has anybody found a way around this or even thought about this? I was thinking of telling squid to not include the port, however, it seems to not be working. Any other suggestions/thoughts?

Thanks

Marc
![2016-03-28 10-20-41.png](/public/imported_attachments/1/2016-03-28 10-20-41.png)
![2016-03-28 10-20-41.png_thumb](/public/imported_attachments/1/2016-03-28 10-20-41.png_thumb)

Lars.Vandora

Hi,

i changed my logparser.pl to extract only the root domain.
See the result in the attached image.

$user=lc $Luser;

	$user = Ip2Name($Lhost,$user,$Ltimestamp);

	next if (defined $hSkipUser{$user});

	#simplified some common banner system & counters
	$url=$Lurl;

	if ($url =~ /([^:]*:\/\/)?([^\/]*\.)*([^\/\.]+\.[^\/]+)/g) {
	   ($site)= split /:/,$3; 
	} else {
	   $site=$Lurl;
	}

	$site=$Lurl if ($site eq "");

	$totalsize	  {$user}		+=$Lsize;
	$totalhit	  {$user}		++;

br
Lars

log.jpg_thumb