hey i am trying to find many attacks were logged per day per ip. i am reading from a syslog file.

here a line couple lines am reading from

Jan 10 09:32:09 j4-be03 sshd[3876]: Failed password for root from 218.241.173.35 port 47084 ssh2
Jan 10 09:32:19 j4-be03 sshd[3879]: Failed password for root from 218.241.173.35 port 47901 ssh2
Feb 7 17:19:16 j4-be03 sshd[10736]: Failed password for root from 89.249.209.92 port 46139 ssh2

this code i currently got

desc_date = {}

count_date = 0

desc_ip = {}

count_ip = 0

for line in myfile:
    if 'Failed password for' in line:

        line_of_list = line.split()
            
        #working together
        date_port = ' '.join(line_of_list[0:2])
        date_list = date_port.split(':')
        date = date_list[0]
        if desc_date.has_key(date):
            count_date = desc_date[date]
            count_date = count_date +1
            desc_date[date] = count_date
            #zero out the temporary counter as a precaution
            count_date =0
        else:
            desc_date[date] = 1

        ip_port = line_of_list[-4]
        ip_list = ip_port.split(':')
        ip_address = ip_list[0]
        if desc_ip.has_key(ip_address):
            count_ip = desc_ip[ip_address]
            count_ip = count_ip +1
            desc_ip[ip_address] = count_ip
            #zero out the temporary counter as a precaution
            count_ip =0
        else:
            desc_ip[ip_address] = 1


resulting = dict(desc_date.items() + desc_ip.items())

for result in resulting:
    print result,' has', resulting[result] , ' attacks'

currently giving me this results which is wrong

Feb 8 has 33 attacks
218.241.173.35 has 15 attacks
72.153.93.203 has 14 attacks
213.251.192.26 has 13 attacks
66.30.90.148 has 14 attacks
Feb 7 has 15 attacks
92.152.92.123 has 5 attacks
Jan 10 has 28 attacks
89.249.209.92 has 15 attacks

which the ip addresses are wrong and not sure where going wrong in code :( hope someone can help

Print some of the details, like the date.

line_of_list = line.split()
        date_port = ' '.join(line_of_list[0:2])     ## month and day
        date_list = date_port.split(':')  ## no ':' in date_port

And has_key is deprecated so use "in" instead.

##        if desc_ip.has_key(ip_address):
        if ip_address in desc_ip:

Edited 4 Years Ago by woooee: n/a

What's wrong in your result ? We don't have the input file, so it looks OK :)

what the ip address is doing at the moment is finding each ip address that happen in the log where i want it to find each ip by each date that they appear

You could start from a generator like this one

from cStringIO import StringIO
import re

lines = """
Jan 10 09:32:09 j4-be03 sshd[3876]: Failed password for root from 218.241.173.35 port 47084 ssh2
Jan 10 09:32:19 j4-be03 sshd[3879]: Failed password for root from 218.241.173.35 port 47901 ssh2
Feb 7 17:19:16 j4-be03 sshd[10736]: Failed password for root from 89.249.209.92 port 46139 ssh2 
""".strip()

ip_re = re.compile(r"[0-9]+(?:\.[0-9]+){3}")

def get_date(line):
    return " ".join(line.split(" ", 2)[:2])
    
def get_ip_addr(line):
    L = ip_re.findall(line)
    if len(L) == 1:
        return L[0]
    else:
        raise ValueError("Line contains %d ip addresses (%s)" % (len(L), repr(line)))

def gen_pairs(ifile):
    for line in ifile:
        yield get_date(line), get_ip_addr(line)

for date, addr in gen_pairs(StringIO(lines)):
    print ((date, addr))
    
""" my output -->
('Jan 10', '218.241.173.35')
('Jan 10', '218.241.173.35')
('Feb 7', '89.249.209.92')
"""
This article has been dead for over six months. Start a new discussion instead.