Using lnav to solve the CyberDefenders Hammered Challenge

I recently stumbled on this nice review of lnav by José Lopes. They use this Hammered challenge by cyberdefenders.org as a way to get to know how to use lnav. I thought I would do the same and document the commands I would use to give folks some practical examples of using lnav.

We can probably figure this out by looking for common failure messages in the logs. But, first, we need to load the logs into lnav. You can load all of the logs by passing the path to the Hammered directory along with the -r option to recurse through any subdirectories:

Now that the logs are loaded, you can use the .msgformats SQL command to execute a canned query that finds log messages with a common text format. (Unfortunately, this command has suffered from bitrot and is broken in the current release. It will be fixed in the next release. In the meantime, you can copy the snippet below to a file and execute it using the | prompt.) You can enter the SQL prompt by pressing ; and then entering the command or statement:

The # in the log_msg_format column are the parts of the text that vary between log messages. For example, the most interesting message is “Failed password for root from # port # #”. In that case, the first # would be the IP address and then the port number. The first column indicates how many times a message like this was found, so 5,479 failed password attempts is probably a good sign of a breakin attempt.

Leave a Comment