commit 68cd4b57da34f7e3e3264ea437bcffad1c40790a
Author: Stephen McQuay (work) <smcquay@apple.com>
Date:   Fri May 12 13:33:21 2017 -0700

    init

diff --git a/ips.go b/ips.go
new file mode 100644
index 0000000..4986f51
--- /dev/null
+++ b/ips.go
@@ -0,0 +1,21 @@
+package hmm
+
+import (
+	"regexp"
+)
+
+// Failed password for root from 43.229.53.57 port 62954 ssh2
+// message repeated 2 times: [ Failed password for root from 43.229.53.57 port 32871 ssh2]
+var p = regexp.MustCompile(`Failed password for .* from (.*) port`)
+
+// ParseIP finds the ip address from an sshd log line that contains a failed
+// password attempt.
+func ParseIP(line string) string {
+	if m := p.FindStringSubmatch(line); m != nil {
+		if len(m) != 2 {
+			return ""
+		}
+		return string(m[1])
+	}
+	return ""
+}
diff --git a/ips_test.go b/ips_test.go
new file mode 100644
index 0000000..0a99829
--- /dev/null
+++ b/ips_test.go
@@ -0,0 +1,20 @@
+package hmm
+
+import "testing"
+
+func TestIPs(t *testing.T) {
+	{
+		s := "Failed password for root from 43.229.53.57 port 62954 ssh2"
+		ip := ParseIP(s)
+		if ip == "" {
+			t.Fatalf("didn't find ip, should have")
+		}
+	}
+	{
+		s := "Oct 10 12:35:46 impa sshd[13226]: Received disconnect from 116.31.116.6 port 58923:11:  [preauth]"
+		ip := ParseIP(s)
+		if ip != "" {
+			t.Fatalf("found ip, shouldn't have")
+		}
+	}
+}