brute-force detect using siddhi

Question

brute-force detect using siddhi

fengjian1993 opened this issue 2 years ago · comments

fengjian1993 commented 2 years ago

Description:

i am newer with siddhi ;)
can i implement this function using siddhi?
from LoginStream
3 times 'login failed' log wihtin 10 sec then 1 time 'login success' within 1 sec
and select first time of 'login failed' eventTime, 'login success' eventTime into
FailedLoginStream

@sink(type='log' , prefix = '>>>Input')
define stream LoginStream(log string, eventTime long);
@sink(type='log' , prefix = '>>>OutputFailedLoginStream')
define stream FailedLoginStream(startTime long, endTime long);

what is the query sql? :)

this occure grammer error
from every s1 = LoginStream[str:contains(log, 'login failed')] <3:> within 10 seconds
-> every s2 = LoginStream[s2.eventTime > s1.eventTime and str:contains(log, 'login success')] <1:> within 5 seconds
select s1.eventTime as startTime, s2.eventTime as endTime
insert into FailedLoginStream;

Affected Siddhi Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

Senthuran Ambalavanar · Answer 1 · Thu Mar 31 2022 23:41:35 GMT+0800 (China Standard Time)

Hi @fengjian1993 ,

Please try the following Siddhi app:

@App:name("BruteForceDetect")

@sink(type='log' , prefix = '>>>Input')
define stream LoginStream(log string, eventTime long);

@sink(type='log' , prefix = '>>>OutputFailedLoginStream')
define stream FailedLoginStream(startTime long, endTime long);

from every s1=LoginStream[str:contains(log, 'login failed')] <3:> -> s2=LoginStream[str:contains(log, 'login success')
    AND
(s1[last].eventTime - s1[0].eventTime < 10000) AND (s2.eventTime - s1[last].eventTime < 1000)]
select s1[0].eventTime as startTime, s2.eventTime as endTime
insert into FailedLoginStream;

fengjian1993 · Answer 2 · Mon Apr 11 2022 09:38:30 GMT+0800 (China Standard Time)

Hi @fengjian1993 ,

Please try the following Siddhi app:

@App:name("BruteForceDetect")

@sink(type='log' , prefix = '>>>Input')
define stream LoginStream(log string, eventTime long);

@sink(type='log' , prefix = '>>>OutputFailedLoginStream')
define stream FailedLoginStream(startTime long, endTime long);

from every s1=LoginStream[str:contains(log, 'login failed')] <3:> -> s2=LoginStream[str:contains(log, 'login success')
    AND
(s1[last].eventTime - s1[0].eventTime < 10000) AND (s2.eventTime - s1[last].eventTime < 1000)]
select s1[0].eventTime as startTime, s2.eventTime as endTime
insert into FailedLoginStream;

Thanks Senthuran!