Ca Site Minder¶
Description¶
Constructor: CA
Product: Site Minder
Log type(s): auth
Theoretical injector performance¶
N/A
Log sample¶
1 | AssertionGenerate thsssosit06p [23/Feb/2017:12:19:33 +0100] " " " " [] [0] [] [] |
1 | ValidateAccept thsssosit06p [23/Feb/2017:12:19:27 +0100] "1.1.68.129 uid=T000000,ou=Internal,ou=People,o=group" "pghj-ws-dzefd.ezrd.dksjq GET /T2/Ts.ltc" [idletime=54000;maxtime=18000;authlevel=5;] [0] [] [] |
1 | AuthAttempt thsssosit06p [23/Feb/2017:12:24:12 +0100] "1.1.4.162 T0000000" "azd.dzaz.azddd GET /profile/yoloapplications.php?polReboot" [] [0] [] [] |
Parsing strategy¶
At first glance, we could assume the log pattern is CSV [space] separated. The main format as following :
[[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource] [TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]]
BUT, [[Status Message]] is an error status looking like a sentence but without any wrapping double quote nor brackets. This leads to an unparsable CSV log using the [space] character. So we decided to use Grok patterns to solve this issue.
Conclusion : This parser only rely on Grok patterns located under .