dissect.target.plugins.apps.webserver.citrix

Module Contents

Classes

CitrixWebserverPlugin

Apache log parsing plugin for Citrix specific logs.

Attributes

LOG_FORMAT_CITRIX_NETSCALER_ACCESS_COMBINED_RESPONSE_TIME
LOG_FORMAT_CITRIX_NETSCALER_ACCESS_COMBINED_RESPONSE_TIME_WITH_HEADERS

dissect.target.plugins.apps.webserver.citrix.LOG_FORMAT_CITRIX_NETSCALER_ACCESS_COMBINED_RESPONSE_TIME

dissect.target.plugins.apps.webserver.citrix.LOG_FORMAT_CITRIX_NETSCALER_ACCESS_COMBINED_RESPONSE_TIME_WITH_HEADERS

class dissect.target.plugins.apps.webserver.citrix.CitrixWebserverPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugins.apps.webserver.apache.ApachePlugin

Apache log parsing plugin for Citrix specific logs.

Citrix uses Apache with custom access log formats. These are:

LogFormat "%{Citrix-ns-orig-srcip}i -> %{Citrix-ns-orig-destip}i %l %u %t [%P] "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "Time: %D microsecs"" combined_resptime_with_citrix_hdrs
LogFormat "%a %l %u %t [%P] "%r" %>s %b "%{Referer}i" "%{User-Agent}i" "Time: %D microsecs"" combined_resptime

__namespace__ = 'citrix'

ACCESS_LOG_NAMES

ERROR_LOG_NAMES

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

static infer_access_log_format(line: str) → dissect.target.plugins.apps.webserver.apache.LogFormat

Attempt to infer what standard LogFormat is used. Returns None if no known format can be inferred.

Three default log type examples from Apache (note that the ipv4 could also be ipv6)

Combined:

1.2.3.4 - - [19/Dec/2022:17:25:12 +0100] "GET / HTTP/1.1" 304 247 "-" "Mozilla/5.0
            (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0
            Safari/537.36"

Common:

1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312

vhost_combined:

example.com:80 1.2.3.4 - - [19/Dec/2022:17:25:40 +0100] "GET / HTTP/1.1" 200 312 "-"
"Mozilla/5.0 (Windows NT 10.0; Win64; x64); AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/108.0.0.0 Safari/537.36"