Hi guys, I have an Apache log (with only few information) and I would like to find out the possible events related to brute force password attack.
I am considering to find the login page access records which happened rapidly within three seconds. For example (just an example), if there are the following events:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:20:36 -0700] "GET /config.php HTTP/1.0" 200 2326 "http://www.example.com/dashboard.php"
127.0.0.1 - frank [10/Oct/2000:13:10:00 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
The result will be:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
What should the code be?
I will be able to count the number of password attack occur and plot a time chart showing the attack pattern, after solving this problem.
Thanks.
... View more