0

There are various methods to find attack patterns for different types of attacks. Apache-scalp is one such tool, but the rule set is not available to find the brute-force attack pattern via regular expression. I would love to know the different regular expressions available for detecting brute-force attacks from Apache log file.

Vikas
  • 347
  • 1
  • 12
Uday
  • 1
  • 4
  • 1
    What kind of brute-force attack are you talking about? Do you mean attacks against your web application? – Vilius Povilaika Jan 29 '19 at 13:24
  • Your question is a bit vague. I don't think regexp are what you need, but with so few informations to work with... could you elaborate please ? Why do you need regexp only ? Don't you have a software to handle your logs and agregate them ? – Kaël Jan 29 '19 at 13:52
  • finding bruteforce patterns from apache log is rather vague?what kind of bruteforce are you talking about?login credentials,directory bruteforce or common fuzzing? – yeah_well Jan 29 '19 at 14:01
  • @ViliusPovilaika Yes, attacks against web application so that the log of that attack is stored in access.log file. I want to find out through log file that the brute force attack is tried in my web application. – Uday Jan 30 '19 at 01:18
  • @Kaël I am trying to test the apache log file so that the brute force attack is being tried. Yes, there are other methods too for testing brute force attack from log, though I wanna know it via regexp also. – Uday Jan 30 '19 at 01:21
  • @VipulNair For this time, I wanna concentrate on login credentials & common fuzzing. – Uday Jan 30 '19 at 01:22
  • like you said simple analysis of logs should give you a good idea of attack.Common strings such as union query can be seen in the apache log when an attacker tries sql injection.This should get you started https://resources.infosecinstitute.com/log-analysis-web-attacks-beginners-guide/#gref – yeah_well Jan 30 '19 at 06:36
  • yes, this apache-scalp does not include brute-force attack – Uday Jan 30 '19 at 06:41

1 Answers1

0

You can just run grep command against Apache access log searching for your login page , use awk to carve out the source ip address then use wc to count how many times a source ip hit your login page. That would be a simple way to check for brute force login attacks from a single source.

neonprimetime security
  • 936
  • 4
  • 15