Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 505
  • Last Modified:

Bruteforce Regex Help

I have a requirement to do regex as part of bruteforce i need to look in a file for the string
Wrong Password

[asterisk]
LOG=/var/log/asterisk/messages
MAX_ATTEMPT=2
PATTERN=.*Wrong password.*

the documentation says

# PATTERN:      A regular expression that defines the line to search for in the
#               log file. Each regular expression should be a standard POSIX.2
#               regular expression with a single set of ()s (brackets). The
#               brackets encase the part of the expression that matches the host
#               address. The host address is what is used to report the failure
#               attempt.


but i dont understand regex

any clues

0
ip6net
Asked:
ip6net
  • 3
  • 2
  • 2
  • +1
1 Solution
 
vks_vickyCommented:
Your RegEx would be like ^.*?\b(Wrong password)\b.*$
0
 
Michel PlungjanIT ExpertCommented:
Why the brackets on the (Wrong password) ???

And why \b for that matter.
/.*Wrong password.*/
would be enough, no?
0
 
ip6netAuthor Commented:
i believe i need to give more info as brutelock needs to know the ip to block it, i will get that info
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
vks_vickyCommented:
@mplungjan, that's should work, brackets & word boundary (\b) for better readability and understanding.

@ip6net, not sure what your are relating. I am assuming that inside the brutelock log file, you want to find all the 'Wrong passwords' registered, for that you would need to write a script to read the file and find the regex provided.
0
 
ip6netAuthor Commented:
This is the default line supplied in brutelock

PATTERN=.*sshd*.*authentication failure.*rhost=([^ ]*).*

my log looks like this

Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2

I want to change the pattern

I also want to do another PATTERN line using
a log file line that looks like this

[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found

I understand the bruteforce program uses the ip it finds in the line and adds it to iptables
0
 
Terry WoodsIT GuruCommented:
For this log line:
Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2
A pattern like this should hopefully work:
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+\.)

And for this log line:
[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found
A pattern like this should hopefully work (capturing the 2nd ip address):
PATTERN=.*'(\d+\.\d+\.\d+\.\d+\.)'.*No matching peer found
0
 
Terry WoodsIT GuruCommented:
Sorry, corrections to those 2 patterns (I had one too many . characters in the IP address):
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+)
PATTERN=.*'(\d+\.\d+\.\d+\.\d+)'.*No matching peer found
0
 
Terry WoodsIT GuruCommented:
Note that the part capturing the IP address:
(\d+\.\d+\.\d+\.\d+\.)
could potentially be simplified to:
(\d+(\.\d+){3})

And, even better, it could be tightened up to limit each number to a max of 3 digits (you can go even further, and limit each number to 255, but it looks hideous and probably isn't necessary):
(\d{1,3}(\.\d{1,3}){3})
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now