in reply to Re: Brute Force Attacks
in thread Brute Force Attacks

I am relatively new to perl and would like some assistance. I have been at this for quite some time. What I am looking for is a way to extract certain information from a log file. I have attached a sample of the log file and the desired output as well as the code I have thus far

======================================= Request: 10.122.11.235 - - Tue Mar 9 22:27:46 2004 "GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0" 200 566 Handler: proxy-server Error: mod_security: pausing http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS for 50000 ms ---------------------------------------- GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0 Accept: */* Accept-Language: en Connection: Keep-Alive mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST. mod_security-action: 200 HTTP/1.0 200 OK Connection: close

SAMPLE OUTPUT I AM LOOKING FOR:
Attacker’s address 10.122.11.235
Username:loginc,Password:exodus:PASS

I have been extracting data from the log file for example, the Top 10 results of mod_security-message header. I am looking for something similar. Thanks


open (LOGFILE2,"audit_log") || die "  Error opening log file $logFile.
+\n";
   #printf "<pre>\n";
   while (<LOGFILE2>) {


if (/mod_security-message[:](.*)\./)
{

$MOD_SEC{$1}++

}



 close (LOGFILE);



   #--------------------------------------#
   #  Output the number of hits per file  #
   #--------------------------------------#

   print "TOP $NUM_RECS_TO_PRINT PATTERN MATCH:\n";
   print "-----------------------------\n\n";
   $count=1;
   foreach my $modsec (sort {$MOD_SEC{$b} <=> $MOD_SEC{$a}} (keys(%MOD
+_SEC))) {
      last if ($count > $NUM_RECS_TO_PRINT);
      print "$count\t$modsec= $MOD_SEC{$modsec}  \n";
    
      $count++;
   }
   print "\n\n";

[download]

Replies are listed 'Best First'.
Re: Brute Force Attacks
by onelesd (Pilgrim) on Nov 06, 2011 at 02:31 UTC
    Is this a log file format that you came up with? If so, and if it's a format you can modify, I suggest you change the format to better fit your needs. Logs are usually meant to be read (easily) by humans and yours is giving me a headache.
[reply]
[reply]

        Have you even read Writeup Formatting Tips yet?

        <p> tags start paragraphs, and </p> tags end them.

        There's almost never a need for <br />

        Wrap your code in <code> and </code>, or <c> and </c> tags. That goes for your input and output examples as well.

        Read How do I compose an effective node title?.

        Post a snippet of code that you have actually started to write for the purpose of solving this specific problem. It appears to me that the code you posted is to solve a different task.

        Ask a specific question. Your existing posts are asking for someone to write a solution for you. There are people who will do that for you for a fee. But we help people to learn to program using Perl for free. So you must put out some effort showing that you are actually here to learn Perl, not just here to get us to write a script for you.


        Dave

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom