Solved

Bruteforce Regex Help

Posted on 2011-03-16
8
496 Views
Last Modified: 2013-11-29
I have a requirement to do regex as part of bruteforce i need to look in a file for the string
Wrong Password

[asterisk]
LOG=/var/log/asterisk/messages
MAX_ATTEMPT=2
PATTERN=.*Wrong password.*

the documentation says

# PATTERN:      A regular expression that defines the line to search for in the
#               log file. Each regular expression should be a standard POSIX.2
#               regular expression with a single set of ()s (brackets). The
#               brackets encase the part of the expression that matches the host
#               address. The host address is what is used to report the failure
#               attempt.


but i dont understand regex

any clues

0
Comment
Question by:ip6net
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Expert Comment

by:vks_vicky
ID: 35146805
Your RegEx would be like ^.*?\b(Wrong password)\b.*$
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 35147065
Why the brackets on the (Wrong password) ???

And why \b for that matter.
/.*Wrong password.*/
would be enough, no?
0
 

Author Comment

by:ip6net
ID: 35147106
i believe i need to give more info as brutelock needs to know the ip to block it, i will get that info
0
MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

 
LVL 5

Expert Comment

by:vks_vicky
ID: 35147168
@mplungjan, that's should work, brackets & word boundary (\b) for better readability and understanding.

@ip6net, not sure what your are relating. I am assuming that inside the brutelock log file, you want to find all the 'Wrong passwords' registered, for that you would need to write a script to read the file and find the regex provided.
0
 

Author Comment

by:ip6net
ID: 35150947
This is the default line supplied in brutelock

PATTERN=.*sshd*.*authentication failure.*rhost=([^ ]*).*

my log looks like this

Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2

I want to change the pattern

I also want to do another PATTERN line using
a log file line that looks like this

[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found

I understand the bruteforce program uses the ip it finds in the line and adds it to iptables
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 35152277
For this log line:
Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2
A pattern like this should hopefully work:
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+\.)

And for this log line:
[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found
A pattern like this should hopefully work (capturing the 2nd ip address):
PATTERN=.*'(\d+\.\d+\.\d+\.\d+\.)'.*No matching peer found
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 35152299
Sorry, corrections to those 2 patterns (I had one too many . characters in the IP address):
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+)
PATTERN=.*'(\d+\.\d+\.\d+\.\d+)'.*No matching peer found
0
 
LVL 35

Accepted Solution

by:
Terry Woods earned 500 total points
ID: 35152323
Note that the part capturing the IP address:
(\d+\.\d+\.\d+\.\d+\.)
could potentially be simplified to:
(\d+(\.\d+){3})

And, even better, it could be tightened up to limit each number to a max of 3 digits (you can go even further, and limit each number to 255, but it looks hideous and probably isn't necessary):
(\d{1,3}(\.\d{1,3}){3})
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Intel fortran compiler (ifort) 5 38
Moving from Mcrypt to OpenSSL 18 45
Migrating a Linux server to VMware 3 58
Batch File- Finding Drive Description 11 17
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question