Skip to content

Ca Site Minder


Constructor: CA

Product: Site Minder

Log type(s): auth

Theoretical injector performance


Log sample

AssertionGenerate fakehost [23/Feb/2017:12:19:33 +0100] " " "  " [] [0]  [] []
ValidateAccept fakehost [23/Feb/2017:12:19:27 +0100] " uid=T000000,ou=Internal,ou=People,o=group" "pghj-ws-dzefd.ezrd.dksjq GET /T2/Ts.ltc" [idletime=54000;maxtime=18000;authlevel=5;] [0]  [] []
AuthAttempt fakehost [23/Feb/2017:12:24:12 +0100] " T0000000" "azd.dzaz.azddd GET /profile/yoloapplications.php?polReboot" [] [0]  [] []

Parsing strategy

At first glance, we could assume the log pattern is CSV [space] separated. The main format as following :

[[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource] [TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]]

BUT, [[Status Message]] is an error status looking like a sentence but without any wrapping double quote nor brackets. This leads to an unparsable CSV log using the [space] character. So we decided to use Grok patterns to solve this issue.

Conclusion : This parser only rely on Grok patterns located under .