Solved

Bruteforce Regex Help

Posted on 2011-03-16
8
499 Views
Last Modified: 2013-11-29
I have a requirement to do regex as part of bruteforce i need to look in a file for the string
Wrong Password

[asterisk]
LOG=/var/log/asterisk/messages
MAX_ATTEMPT=2
PATTERN=.*Wrong password.*

the documentation says

# PATTERN:      A regular expression that defines the line to search for in the
#               log file. Each regular expression should be a standard POSIX.2
#               regular expression with a single set of ()s (brackets). The
#               brackets encase the part of the expression that matches the host
#               address. The host address is what is used to report the failure
#               attempt.


but i dont understand regex

any clues

0
Comment
Question by:ip6net
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 5

Expert Comment

by:vks_vicky
ID: 35146805
Your RegEx would be like ^.*?\b(Wrong password)\b.*$
0
 
LVL 75

Expert Comment

by:Michel Plungjan
ID: 35147065
Why the brackets on the (Wrong password) ???

And why \b for that matter.
/.*Wrong password.*/
would be enough, no?
0
 

Author Comment

by:ip6net
ID: 35147106
i believe i need to give more info as brutelock needs to know the ip to block it, i will get that info
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 5

Expert Comment

by:vks_vicky
ID: 35147168
@mplungjan, that's should work, brackets & word boundary (\b) for better readability and understanding.

@ip6net, not sure what your are relating. I am assuming that inside the brutelock log file, you want to find all the 'Wrong passwords' registered, for that you would need to write a script to read the file and find the regex provided.
0
 

Author Comment

by:ip6net
ID: 35150947
This is the default line supplied in brutelock

PATTERN=.*sshd*.*authentication failure.*rhost=([^ ]*).*

my log looks like this

Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2

I want to change the pattern

I also want to do another PATTERN line using
a log file line that looks like this

[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found

I understand the bruteforce program uses the ip it finds in the line and adds it to iptables
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 35152277
For this log line:
Mar 16 11:05:27 boxname sshd[557]: Failed password for root from ::ffff:12.12.12.12 port 60224 ssh2
A pattern like this should hopefully work:
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+\.)

And for this log line:
[Mar 24 11:01:19] NOTICE[4052] chan_sip.c: Registration from '"245"<sip:245@1.1.1.1>' failed for '184.73.23.232' - No matching peer found
A pattern like this should hopefully work (capturing the 2nd ip address):
PATTERN=.*'(\d+\.\d+\.\d+\.\d+\.)'.*No matching peer found
0
 
LVL 35

Expert Comment

by:Terry Woods
ID: 35152299
Sorry, corrections to those 2 patterns (I had one too many . characters in the IP address):
PATTERN=.*Failed password.*:(\d+\.\d+\.\d+\.\d+)
PATTERN=.*'(\d+\.\d+\.\d+\.\d+)'.*No matching peer found
0
 
LVL 35

Accepted Solution

by:
Terry Woods earned 500 total points
ID: 35152323
Note that the part capturing the IP address:
(\d+\.\d+\.\d+\.\d+\.)
could potentially be simplified to:
(\d+(\.\d+){3})

And, even better, it could be tightened up to limit each number to a max of 3 digits (you can go even further, and limit each number to 255, but it looks hideous and probably isn't necessary):
(\d{1,3}(\.\d{1,3}){3})
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Email attacks are the most common methods for initiating ransomware and phishing scams. Attackers want you to open an infected attachment or click a malicious link, and unwittingly download malware to your machine. Here are 7 ways you can stay safe.
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question