I must be missing something because i don't see "exodus" anywhere in the logfile.
If the log file is consistently built like the extract you show, it seems to me that a simple approach would work :
use strict ;
use warnings ;
my $login ;
my $pass ;
my $ip ;
for my $line (<DATA>) {
if ( $line =~ m/^Request: (\d+\.\d+.\d+\.\d+).*login=(.*)&passwd=(
+[^\s]+)/ ) {
$ip = $1 ;
$login = $2 ;
$pass = $3 ;
} elsif ( $line =~ m/^Error: mod_security/) {
print "Attacker : $ip\n" ;
print "Login : $login, Password : $pass \n\n" ;
}
}
__DATA__
Request: 10.122.11.235 - - [Tue Mar 9 22:27:46 2004] "GET http://sbc2
+.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?&.tries=1&.src
+=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=http://j
+pager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd=PASS HTTP/1.0
+" 200 566
Handler: proxy-server
Error: mod_security: pausing [http://sbc2.login.dcn.yahoo.com/config/l
+ogin?.redir_from=PROFILES?&.tries=1&.src=jpg&.last=&p
+romo=&.intl=us&.bypass=&.partner=&.chkP=Y&.done=h
+ttp://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passw
+d=PASS] for 50000 ms
----------------------------------------
GET http://sbc2.login.dcn.yahoo.com/config/login?.redir_from=PROFILES?
+&.tries=1&.src=jpg&.last=&promo=&.intl=us&.bypass=&.partner=&.chkP=Y&
+.done=http://jpager.yahoo.com/jpager/pager2.shtml&login=loginc&passwd
+=PASS HTTP/1.0
Accept: */*
Accept-Language: en
Connection: Keep-Alive
mod_security-message: Access denied with code 200. Pattern match "pass
+wd=" at THE_REQUEST.
mod_security-action: 200
HTTP/1.0 200 OK
Connection: close
Output:
Attacker : 10.122.11.235
Login : loginc, Password : PASS