Remove IP addresses from multiple log files

Log files can grow as large as you let them and if for any reason you need to redact the IP addresses they hold it’s often impractical to do it manually.

It can be automated using Notepad++ (A free text editorĀ Notepad++ Download link) with some clever regex.

There are 2 different methods, one using simple regex which will do the job but will also remove some non-IP numbers which look similar in format to an IP address.

Quick and dirty method

Here are some demo log files with thousands of IP addresses inside:

regex1

Launch Notepad++ and select search >> find in files >>

regex2

The quick and dirty regex is : (\d{1,3}\.){3}\d{1,3}

set some replacement text or leave blank if you want to just delete the entries.

set the directory which contains your log files, and most importantly set the search mode to “regular expression”. It’s set to “Normal” by default.

regex3

When you press “Replace in Files” you’ll turn this:

regex4

Into :

regex6

As you can see it’s also gone through all of the log files and saved you a lot of manual time and effort:

regex5

Regex explained:

(\d{1,3}\.){3}\d{1,3}

(\d{1,3}\.) finds any set of numbers 1-3 digits in length with a full stop at the end.

{3} repeats the previous regex 3 times.

\d{1,3} is similar to the first part and searches for a set of numbers 1-3 digits in length but with no full stop at the end.

The reason you cannot simply use (\d{1,3}\.){4} is because the last octet of an IP address doesn’t end with a full stop.

The problem with this quick regex is that it will also pick up numbers such as:

999.999.999.999 which is not a valid IP. Depending on the contents of your log files this might not be a problem.

IP Specific regex

If the quick and dirty method doesn’t do exactly what you need you can use this much longer regex to specify the numbers which can appear in an IP address:

(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

It will do mostly the same as the previous regex but is smart enough to not remove 999.999.999.999

regex8regex7regex9

How to add a custom module to Metasploit

Metasploit comes with thousands of modules preinstalled but there is nothing stopping you from adding some brand new ones from the internet or altering existing ones.

Here is the method for taking an existing exploit and adding your own custom version of it to Metasploit, the same instructions can be adapted for adding a brand new exploit from the internet.

  • By default in Kali the modules are all stored in /usr/share/metasploit-framework/modules it’s worth checking yours are here before we continue.

1

  1. Open up msfconsole and navigate to your modules folder2
  2. In this example we will be making a custom version of the ms02_056_hello.rb mssql exploit. Use the mkdir command to create a custom folder in a sensible location and copy the exploit into it using cp.3
  3. navigate to your custom folder and confirm the exploit copy is there:4
  4. Open up the exploit using any editor (Ignore this if you don’t intend on making any changes and have found a module from the internet:5
  5. Make the changes you want. In the screenshot below we have just changed the description to as a demonstration. Save your new exploit.6
  6. Use the mv command to give your exploit a custom name, this stops you accidentally confusing it with the original code in the future.7
  7. Metasploit won’t be able to find your exploit until it after you exit and reopen msfconsole. You’ll see a search error if you try: 8
  8. After closing and reopening msfconsole your code should be visible within Metasploit to use just like the preinstalled ones.9