Hi guys, I have an Apache log (with only few information) and I would like to find out the possible events related to brute force password attack.
I am considering to find the login page access records which happened rapidly within three seconds. For example (just an example), if there are the following events:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:20:36 -0700] "GET /config.php HTTP/1.0" 200 2326 "http://www.example.com/dashboard.php"
127.0.0.1 - frank [10/Oct/2000:13:10:00 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
The result will be:
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:36 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:35 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:34 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:33 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:55:32 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:20 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:19 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
127.0.0.1 - frank [10/Oct/2000:13:08:18 -0700] "GET /login.php HTTP/1.0" 200 2326 "http://www.example.com/login.php"
What should the code be?
I will be able to count the number of password attack occur and plot a time chart showing the attack pattern, after solving this problem.
Thanks.
HI,
did you try to use | timechart count span=3s
? This will give you a lot of spikes in timechart graph but it will group your events in a 3 s intervall. You should only use this with a short time periode
Hi can you try this :
Number of Password Attacks:
index=<your_index> | rex field=_raw "\s"(GET|POST|DELETE|UPDATE)\s\/(?<Access>[^\.]+)" | search Access=login | stats count as "Password Attacks"
Plotting it in Timechart:
index=<your_index> | rex field=_raw "\s"(GET|POST|DELETE|UPDATE)\s\/(?<Access>[^\.]+)" | search Access=login | timechart span=3s count as "Password Attacks"
change span according to your need.
let me know if this helps!
Hi, thank you for your advice. timechart span=3s count as "Password Attacks" is useful! However, it seems that the rex part has some mistakes so there's an error telling me "Search Factory: Unknown search command 'post'."
Try this :
index=<your_index> | rex field=_raw "\s\"GET\s\/(?<Access>[^\.]+)" | search Access=login | timechart span=3s count as "Password Attacks"
The error disappeared. But no result is shown.
I am now trying specify the url_path instead of using regular expression. However, I cannot save the timechart to a dashboard. Do you know why?