Sample Python Code to determine login attempts in excess of 3 in five minutes - svtechConsult/mikes GitHub Wiki

Certainly! Below is a sample Python script that scans through a log file to find users with more than 3 login attempts within a 5-minute window. This script assumes that the log file contains timestamped entries of login attempts and that each attempt is logged in a consistent format that includes the timestamp and the username.

import re
from datetime import datetime, timedelta
from collections import defaultdict

# Define the path to your log file
LOG_FILE_PATH = 'path/to/your/logfile.log'

# Define the pattern to extract timestamp and username from each log line
# Adjust the pattern to match the format of your log file
LOG_PATTERN = r'(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}).*User: (\w+)'

# Define the time window and the attempt threshold
TIME_WINDOW = timedelta(minutes=5)
ATTEMPT_THRESHOLD = 3

# Function to parse log lines
def parse_log_line(line):
    match = re.search(LOG_PATTERN, line)
    if match:
        timestamp_str, username = match.groups()
        timestamp = datetime.strptime(timestamp_str, '%Y-%m-%d %H:%M:%S')
        return timestamp, username
    return None, None

# Function to scan log file for frequent login attempts
def scan_logins(log_file_path):
    login_attempts = defaultdict(list)
    suspicious_users = defaultdict(list)

    with open(log_file_path, 'r') as file:
        for line in file:
            timestamp, username = parse_log_line(line)
            if username:
                # Remove outdated attempts
                login_attempts[username] = [
                    ts for ts in login_attempts[username]
                    if ts > timestamp - TIME_WINDOW
                ]

                # Add the new attempt
                login_attempts[username].append(timestamp)

                # Check if the threshold is exceeded
                if len(login_attempts[username]) > ATTEMPT_THRESHOLD:
                    suspicious_users[username].append(timestamp)

    return suspicious_users

# Main execution
//This script uses regular expressions to parse the log lines, so you'll need to adjust the LOG_PATTERN to match the format of your //logs. It also uses a sliding window approach to keep track of login attempts within the specified time window.

Please ensure that the datetime format in the datetime.strptime() function matches the timestamp format in your log file.

if __name__ == '__main__':
    # Scan the log file for suspicious login attempts
    suspicious_login_attempts = scan_logins(LOG_FILE_PATH)

    # Display the results
    for user, timestamps in suspicious_login_attempts.items():
        print(f'User "{user}" has suspicious login attempts at the following times:')
        for ts in timestamps:
            print(f'  {ts.strftime("%Y-%m-%d %H:%M:%S")}')

This script uses regular expressions to parse the log lines, so you'll need to adjust the LOG_PATTERN to match the format of your logs. It also uses a sliding window approach to keep track of login attempts within the specified time window.

Please ensure that the datetime format in the datetime.strptime() function matches the timestamp format in your log file.

Before running this script, replace path/to/your/logfile.log with the actual path to your log file. The script will print out the usernames that have more than 3 login attempts within any 5-minute window, along with the timestamps of those attempts.