parse log file to obtain IP's with failed attempts

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • DjPal
    New Member
    • Dec 2009
    • 15
    #1

    parse log file to obtain IP's with failed attempts

    I am trying to parse through a log file to obtain the IP addresses with >5 failed
    login attempts, firstly I'm trying to get the IP addresses but there seems to be something wrong with the regular expression I think. would be good to export the addresses to another text file, does anyone have any ideas where to go from here?

    Thank you.


    [code=python]

    #!/usr/local/bin/python
    file = open(location)
    for line in file:

    ips = ("(\d{1,3}\.){3 }\d{1,3}") ## get IPs
    print 'the ip addresses are ', ips

    [/code]
    Last edited by bvdet; Feb 28 '10, 07:19 PM. Reason: Fix code tags
    Tags: python ip addresses, regular expression
    • bvdet
      Recognized Expert Specialist
      • Oct 2006
      • 2851
      #2
      Apparently you do not understand re. You begin by importing the module.
      Code:
      import re
      You created a pattern. Now you need use that pattern in a statement involving a function defined in re. This can get pretty complicated and is beyond the scope of my abilities, so I will suggest that you go through this excellent tutorial.

      I might go about it like this:
      Code:
      import re
s = r"(%s)" % ("\.".join(['(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)']*4))
patt = re.compile(s)
fn = "ip.txt"
s = open(fn).read()
i = 0
results = []
while True:
    m = patt.search(s, i)
    if m:
        results.append(m.group(1))
        i = m.end()+1
    else:
        break
print results
      Below is the example file contents and output using the above code:
      Code:
      """other text127.1.1.125other text
other text192.168.1.1other text
fhhsdjkasls
er992rosdf
fjfrj234i
llwefkkssedllother text'255.255.255.255
4885.4556.455.4599
asdfl;ojwerpo['j4t2"""

>>> ['127.1.1.125', '192.168.1.1', '255.255.255.255']

        Comment

        • DjPal
          New Member
          • Dec 2009
          • 15
          #3
          thanks a lot for setting me in the right direction!
          I now have;

          Code:
          s = r"(%s)" % ("\.".join(['(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)']*4))
patt = re.compile(s)
fn = "file"
s = open(fn).read()
i = 0

results = []
while True:
    m = patt.search(s, i)
    if m:
        results.append(m.group(1))
        i = m.end()+1
    else:
        break

criteria = ['Failed password', 'Invalid user']
criteria_count={}
count=0

for item in results:
    if criteria_count.has_key(item):
        count = criteria_count[item]
        count = count+1
        criteria_count[item]=count

        if count>10:
            for dItem in criteria_count.keys():
                print dItem
        else:
            break
        
    else:
        criteria_count[item]=1
          I'm trying to list the IPs which appear more than 10 times and have the 'criteria',
          but am slightly confused at this point!

            Comment

            • bvdet
              Recognized Expert Specialist
              • Oct 2006
              • 2851
              #4
              This little bit of code should do what you want (untested):
              Code:
              ipDict = {}
 
for item in results:
    ipDict[item] = ipDict.get(item, 0) + 1

# print IPs with count > 10
for key in ipDict:
    if ipDict[key] > 10:
        print key

# create a list of IPs with count > 10
[key for key in ipDict if ipDict[key] > 10]

                Comment

                Previous template Next
                Working...