I'm trying to find a simple way to parse squid logfiles looking for cryptolocker (http://en.wikipedia.org/wiki/CryptoLocker) URL's. The proxy in question denies these anyway because the current version of cryptolocker doesn't authenticate and this proxy requires authentication, so right now it's a useful trigger to notice an infection after the fact but before it has downloaded enough to start infecting user files. The url's in question are <something>.net/com/biz/etc, and some examples of the something are: qoemswifeitgetscytkircyfq diqkbihifambsnvbylvtdcyyd tlfmwcyfikzcuqoqgpzdpz so they are random strings of varying length. The challenge is to find a way to identify them without an excessive amount of CPU time (eg not dictionary lookups). Any suggestions? Thanks James