Solved

Bruteforce Regex Help

Posted on 2011-03-16
8
490 Views
Last Modified: 2013-11-29
I have a requirement to do regex as part of bruteforce i need to look in a file for the string
Wrong Password

[asterisk]
LOG=/var/log/asterisk/messages
MAX_ATTEMPT=2
PATTERN=.*Wrong password.*

the documentation says

# PATTERN:      A regular expression that defines the line to search for in the
#               log file. Each regular expression should be a standard POSIX.2
#               regular expression with a single set of ()s (brackets). The
#               brackets encase the part of the expression that matches the host
#               address. The host address is what is used to report the failure
#               attempt.


but i dont understand regex

any clues

0
Comment
Question by:ip6net
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Expert Comment

by:vks_vicky
ID: 35146805
Your RegEx would be like ^.*?\b(Wrong password)\b.*$
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 35147065
Why the brackets on the (Wrong password) ???

And why \b for that matter.
/.*Wrong password.*/
would be enough, no?
0
 

Author Comment

by:ip6net
ID: 35147106
i believe i need to give more info as brutelock needs to know the ip to block it, i will get that info
0
 
LVL 5

Expert Comment

by:vks_vicky
ID: 35147168
@mplungjan, that's should work, brackets & word boundary (\b) for better readability and understanding.

@ip6net, not sure what your are relating. I am assuming that inside the brutelock log file, you want to find all the 'Wrong passwords' registered, for that you would need to write a script to read the file and find the regex provided.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:ip6net
ID: 35150947
This is the default line supplied in brutelock

PATTERN=.*sshd*.*authentication failure.*rhost=([^ ]*).*

my log looks like this

Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2

I want to change the pattern

I also want to do another PATTERN line using
a log file line that looks like this

[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found

I understand the bruteforce program uses the ip it finds in the line and adds it to iptables
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 35152277
For this log line:
Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2
A pattern like this should hopefully work:
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+\.)

And for this log line:
[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found
A pattern like this should hopefully work (capturing the 2nd ip address):
PATTERN=.*'(\d+\.\d+\.\d+\.\d+\.)'.*No matching peer found
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 35152299
Sorry, corrections to those 2 patterns (I had one too many . characters in the IP address):
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+)
PATTERN=.*'(\d+\.\d+\.\d+\.\d+)'.*No matching peer found
0
 
LVL 35

Accepted Solution

by:
Terry Woods earned 500 total points
ID: 35152323
Note that the part capturing the IP address:
(\d+\.\d+\.\d+\.\d+\.)
could potentially be simplified to:
(\d+(\.\d+){3})

And, even better, it could be tightened up to limit each number to a max of 3 digits (you can go even further, and limit each number to 255, but it looks hideous and probably isn't necessary):
(\d{1,3}(\.\d{1,3}){3})
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to dynamically set the form action using jQuery.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now