Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Bruteforce Regex Help

Posted on 2011-03-16
8
Medium Priority
?
502 Views
Last Modified: 2013-11-29
I have a requirement to do regex as part of bruteforce i need to look in a file for the string
Wrong Password

[asterisk]
LOG=/var/log/asterisk/messages
MAX_ATTEMPT=2
PATTERN=.*Wrong password.*

the documentation says

# PATTERN:      A regular expression that defines the line to search for in the
#               log file. Each regular expression should be a standard POSIX.2
#               regular expression with a single set of ()s (brackets). The
#               brackets encase the part of the expression that matches the host
#               address. The host address is what is used to report the failure
#               attempt.


but i dont understand regex

any clues

0
Comment
Question by:ip6net
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Expert Comment

by:vks_vicky
ID: 35146805
Your RegEx would be like ^.*?\b(Wrong password)\b.*$
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 35147065
Why the brackets on the (Wrong password) ???

And why \b for that matter.
/.*Wrong password.*/
would be enough, no?
0
 

Author Comment

by:ip6net
ID: 35147106
i believe i need to give more info as brutelock needs to know the ip to block it, i will get that info
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 5

Expert Comment

by:vks_vicky
ID: 35147168
@mplungjan, that's should work, brackets & word boundary (\b) for better readability and understanding.

@ip6net, not sure what your are relating. I am assuming that inside the brutelock log file, you want to find all the 'Wrong passwords' registered, for that you would need to write a script to read the file and find the regex provided.
0
 

Author Comment

by:ip6net
ID: 35150947
This is the default line supplied in brutelock

PATTERN=.*sshd*.*authentication failure.*rhost=([^ ]*).*

my log looks like this

Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2

I want to change the pattern

I also want to do another PATTERN line using
a log file line that looks like this

[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found

I understand the bruteforce program uses the ip it finds in the line and adds it to iptables
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 35152277
For this log line:
Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2
A pattern like this should hopefully work:
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+\.)

And for this log line:
[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found
A pattern like this should hopefully work (capturing the 2nd ip address):
PATTERN=.*'(\d+\.\d+\.\d+\.\d+\.)'.*No matching peer found
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 35152299
Sorry, corrections to those 2 patterns (I had one too many . characters in the IP address):
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+)
PATTERN=.*'(\d+\.\d+\.\d+\.\d+)'.*No matching peer found
0
 
LVL 35

Accepted Solution

by:
Terry Woods earned 2000 total points
ID: 35152323
Note that the part capturing the IP address:
(\d+\.\d+\.\d+\.\d+\.)
could potentially be simplified to:
(\d+(\.\d+){3})

And, even better, it could be tightened up to limit each number to a max of 3 digits (you can go even further, and limit each number to 255, but it looks hideous and probably isn't necessary):
(\d{1,3}(\.\d{1,3}){3})
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Check out what's been happening in the Experts Exchange community.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question