Skip to content

Ca Site Minder

Description

Constructor: CA

Product: Site Minder

Log type(s): auth

Theoretical injector performance

N/A

Log sample

1
AssertionGenerate thsssosit06p [23/Feb/2017:12:19:33 +0100] " " "  " [] [0]  [] []
1
ValidateAccept thsssosit06p [23/Feb/2017:12:19:27 +0100] "1.1.68.129 uid=T000000,ou=Internal,ou=People,o=group" "pghj-ws-dzefd.ezrd.dksjq GET /T2/Ts.ltc" [idletime=54000;maxtime=18000;authlevel=5;] [0]  [] []
1
AuthAttempt thsssosit06p [23/Feb/2017:12:24:12 +0100] "1.1.4.162 T0000000" "azd.dzaz.azddd GET /profile/yoloapplications.php?polReboot" [] [0]  [] []

Parsing strategy

At first glance, we could assume the log pattern is CSV [space] separated. The main format as following :

[[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource] [TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]]

BUT, [[Status Message]] is an error status looking like a sentence but without any wrapping double quote nor brackets. This leads to an unparsable CSV log using the [space] character. So we decided to use Grok patterns to solve this issue.

Conclusion : This parser only rely on Grok patterns located under .