I must be missing something because i don't see "exodus" anywhere in the logfile.

If the log file is consistently built like the extract you show, it seems to me that a simple approach would work : 

use strict ; 
use warnings ; 

my $login ; 
my $pass ; 
my $ip ; 
for my $line (<DATA>) {
    
    if ( $line =~ m/^Request: (\d+\.\d+.\d+\.\d+).*login=(.*)&passwd=(
+[^\s]+)/ ) {
        $ip = $1 ; 
        $login = $2 ; 
        $pass = $3 ; 
    } elsif ( $line =~ m/^Error: mod_security/) {
        print "Attacker : $ip\n" ;  
        print "Login : $login, Password : $pass \n\n" ; 
    }        
        
}
    
__DATA__
Request: 10.122.11.235 - - [Tue Mar  9 22:27:46 2004] "GET http://sbc2
+.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src
+=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://j
+pager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0
+" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://sbc2.login.dcn.yahoo.com/config/l
+ogin?.redir_from=PROFILES?&amp;.tries=1&amp;.src=jpg&amp;.last=&amp;p
+romo=&amp;.intl=us&amp;.bypass=&amp;.partner=&amp;.chkP=Y&amp;.done=h
+ttp://jpager.yahoo.com/jpager/pager2.shtml&amp;login=loginc&amp;passw
+d=PASS] for 50000 ms
----------------------------------------
GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?
+&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&
+.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd
+=PASS HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "pass
+wd=" at THE_REQUEST.
mod_security-action: 200

HTTP/1.0 200 OK
Connection: close

[download]
Output: 
Attacker : 10.122.11.235
Login : loginc, Password : PASS

[download]

In reply to Re: Brute Force Attacks by ZlR
in thread Brute Force Attacks by AbCraig

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.