in reply to Brute Force Attacks

Please edit your post or re-post altogether, as something went horribly wrong. Make sure to use the "preview" button.

Replies are listed 'Best First'.
Brute Force Attacks
by AbCraig (Initiate) on Nov 06, 2011 at 02:23 UTC

    I am relatively new to perl and would like some assistance. I have been at this for quite some time. What I am looking for is a way to extract certain information from a log file. I have attached a sample of the log file and the desired output as well as the code I have thus far

    ======================================= Request: 10.122.11.235 - - Tue Mar 9 22:27:46 2004 "GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0" 200 566 Handler: proxy-server Error: mod_security: pausing http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS for 50000 ms ---------------------------------------- GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0 Accept: */* Accept-Language: en Connection: Keep-Alive mod_security-message: Access denied with code 200. Pattern match "passwd=" at THE_REQUEST. mod_security-action: 200 HTTP/1.0 200 OK Connection: close

    SAMPLE OUTPUT I AM LOOKING FOR:
    Attacker’s address 10.122.11.235
    Username:loginc,Password:exodus:PASS

    I have been extracting data from the log file for example, the Top 10 results of mod_security-message header. I am looking for something similar. Thanks

    
open (LOGFILE2,"audit_log") || die "  Error opening log file $logFile.
+\n";
   #printf "<pre>\n";
   while (<LOGFILE2>) {


if (/mod_security-message[:](.*)\./)
{

$MOD_SEC{$1}++

}



 close (LOGFILE);



   #--------------------------------------#
   #  Output the number of hits per file  #
   #--------------------------------------#

   print "TOP $NUM_RECS_TO_PRINT PATTERN MATCH:\n";
   print "-----------------------------\n\n";
   $count=1;
   foreach my $modsec (sort {$MOD_SEC{$b} <=> $MOD_SEC{$a}} (keys(%MOD
+_SEC))) {
      last if ($count > $NUM_RECS_TO_PRINT);
      print "$count\t$modsec= $MOD_SEC{$modsec}  \n";
    
      $count++;
   }
   print "\n\n";

    [download]
[reply]
[d/l]
      Is this a log file format that you came up with? If so, and if it's a format you can modify, I suggest you change the format to better fit your needs. Logs are usually meant to be read (easily) by humans and yours is giving me a headache.
[reply]
[reply]

In Section Seekers of Perl Wisdom