Brute Force Attacks

AbCraig has asked for the wisdom of the Perl Monks concerning the following question:

I am relatively new to perl and would like some assistance. I have been at this for quite some time. What I am looking for is a way to extract certain information from a log file. I have attached a sample of the log file and the desired output as well as the code I have thus far

=======================================

Request: 10.122.11.235 - - [Tue Mar  9 22:27:46 2004] "GET http://sbc2
+.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src
+=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://j
+pager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0
+" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://sbc2.login.dcn.yahoo.com/config/l
+ogin?.redir_from=PROFILES?&amp;.tries=1&amp;.src=jpg&amp;.last=&amp;p
+romo=&amp;.intl=us&amp;.bypass=&amp;.partner=&amp;.chkP=Y&amp;.done=h
+ttp://jpager.yahoo.com/jpager/pager2.shtml&amp;login=loginc&amp;passw
+d=PASS] for 50000 ms
----------------------------------------
GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?
+&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&
+.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd
+=PASS HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "pass
+wd=" at THE_REQUEST.
mod_security-action: 200

HTTP/1.0 200 OK
Connection: close
[download]

SAMPLE OUTPUT I AM LOOKING FOR:

Attacker’s address 10.122.11.235
Username:loginc,Password:exodus:PASS
[download]

I have been extracting data from the log file for example, the Top 10 results of mod_security-message header. I am looking for something similar. Thanks

open (LOGFILE2,"audit_log") || die "  Error opening log file $logFile.
+\n";
   #printf "<pre>\n";
   while (<LOGFILE2>) {


if (/mod_security-message[:](.*)\./)
{

$MOD_SEC{$1}++

}



 close (LOGFILE);



   #--------------------------------------#
   #  Output the number of hits per file  #
   #--------------------------------------#

   print "TOP $NUM_RECS_TO_PRINT PATTERN MATCH:\n";
   print "-----------------------------\n\n";
   $count=1;
   foreach my $modsec (sort {$MOD_SEC{$b} <=> $MOD_SEC{$a}} (keys(%MOD
+_SEC))) {
      last if ($count > $NUM_RECS_TO_PRINT);
      print "$count\t$modsec= $MOD_SEC{$modsec}  \n";
    
      $count++;
   }
   print "\n\n";
[download]

Comment on Brute Force Attacks Select or Download Code

Replies are listed 'Best First'.
Re: Brute Force Attacks by ZlR (Chaplain) on Nov 06, 2011 at 10:57 UTC
I must be missing something because i don't see "exodus" anywhere in the logfile. If the log file is consistently built like the extract you show, it seems to me that a simple approach would work : use strict ; use warnings ; my $login ; my $pass ; my $ip ; for my $line (<DATA>) { if ( $line =~ m/^Request: (\d+\.\d+.\d+\.\d+).login=(.)&passwd=( +[^\s]+)/ ) { $ip = $1 ; $login = $2 ; $pass = $3 ; } elsif ( $line =~ m/^Error: mod_security/) { print "Attacker : $ip\n" ; print "Login : $login, Password : $pass \n\n" ; } } __DATA__ Request: 10.122.11.235 - - [Tue Mar 9 22:27:46 2004] "GET http://sbc2 +.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src +=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://j +pager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0 +" 200 566 Handler: proxy-server Error: mod_security: pausing [http://sbc2.login.dcn.yahoo.com/config/l +ogin?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&p +romo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=h +ttp://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passw +d=PASS] for 50000 ms ---------------------------------------- GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES? +&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y& +.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd +=PASS HTTP/1.0 Accept: / Accept-Language: en Connection: Keep-Alive mod_security-message: Access denied with code 200. Pattern match "pass +wd=" at THE_REQUEST. mod_security-action: 200 HTTP/1.0 200 OK Connection: close [download] Output: `Attacker : 10.122.11.235 Login : loginc, Password : PASS` [download]	[reply] [d/l] [select]
Re: Brute Force Attacks by onelesd (Pilgrim) on Nov 06, 2011 at 02:05 UTC
Please edit your post or re-post altogether, as something went horribly wrong. Make sure to use the "preview" button.	[reply]
Brute Force Attacks by AbCraig (Initiate) on Nov 06, 2011 at 02:23 UTC
I am relatively new to perl and would like some assistance. I have been at this for quite some time. What I am looking for is a way to extract certain information from a log file. I have attached a sample of the log file and the desired output as well as the code I have thus far ======================================= Request: 10.122.11.235 - - Tue Mar 9 22:27:46 2004 "GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0" 200 566 Handler: proxy-server Error: mod_security: pausing http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS for 50000 ms ---------------------------------------- GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0 Accept: / Accept-Language: en Connection: Keep-Alive mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST. mod_security-action: 200 HTTP/1.0 200 OK Connection: close SAMPLE OUTPUT I AM LOOKING FOR: Attacker’s address 10.122.11.235 Username:loginc,Password:exodus:PASS I have been extracting data from the log file for example, the Top 10 results of mod_security-message header. I am looking for something similar. Thanks open (LOGFILE2,"audit_log") \|\| die " Error opening log file $logFile. +\n"; #printf "<pre>\n"; while (<LOGFILE2>) { if (/mod_security-message[:](.*)\./) { $MOD_SEC{$1}++ } close (LOGFILE); #--------------------------------------# # Output the number of hits per file # #--------------------------------------# print "TOP $NUM_RECS_TO_PRINT PATTERN MATCH:\n"; print "-----------------------------\n\n"; $count=1; foreach my $modsec (sort {$MOD_SEC{$b} <=> $MOD_SEC{$a}} (keys(%MOD +_SEC))) { last if ($count > $NUM_RECS_TO_PRINT); print "$count\t$modsec= $MOD_SEC{$modsec} \n"; $count++; } print "\n\n"; [download]	[reply] [d/l]
Re: Brute Force Attacks by onelesd (Pilgrim) on Nov 06, 2011 at 02:31 UTC
Is this a log file format that you came up with? If so, and if it's a format you can modify, I suggest you change the format to better fit your needs. Logs are usually meant to be read (easily) by humans and yours is giving me a headache.	[reply]
Re^2: Brute Force Attacks by AbCraig (Initiate) on Nov 06, 2011 at 03:48 UTC
Re^3: Brute Force Attacks by davido (Cardinal) on Nov 06, 2011 at 05:38 UTC
Re: Brute Force Attacks by JavaFan (Canon) on Nov 06, 2011 at 21:58 UTC
Untested: `while (<LOGFILE2>) { /^Request:\s+(\S+).&login=([^&\s]+).&passwd=([^&\s]+)/ and print "Attacker’s address $1\nUsername:$2,Password:exodus:$3\n +"; }` [download]	[reply] [d/l]