brute-force detect using siddhi
fengjian1993 opened this issue · comments
Description:
i am newer with siddhi ;)
can i implement this function using siddhi?
from LoginStream
3 times 'login failed' log wihtin 10 sec then 1 time 'login success' within 1 sec
and select first time of 'login failed' eventTime, 'login success' eventTime into
FailedLoginStream
@sink(type='log' , prefix = '>>>Input')
define stream LoginStream(log string, eventTime long);
@sink(type='log' , prefix = '>>>OutputFailedLoginStream')
define stream FailedLoginStream(startTime long, endTime long);
what is the query sql? :)
this occure grammer error
from every s1 = LoginStream[str:contains(log, 'login failed')] <3:> within 10 seconds
-> every s2 = LoginStream[s2.eventTime > s1.eventTime and str:contains(log, 'login success')] <1:> within 5 seconds
select s1.eventTime as startTime, s2.eventTime as endTime
insert into FailedLoginStream;
Affected Siddhi Version:
OS, DB, other environment details and versions:
Steps to reproduce:
Related Issues:
Hi @fengjian1993 ,
Please try the following Siddhi app:
@App:name("BruteForceDetect")
@sink(type='log' , prefix = '>>>Input')
define stream LoginStream(log string, eventTime long);
@sink(type='log' , prefix = '>>>OutputFailedLoginStream')
define stream FailedLoginStream(startTime long, endTime long);
from every s1=LoginStream[str:contains(log, 'login failed')] <3:> -> s2=LoginStream[str:contains(log, 'login success')
AND
(s1[last].eventTime - s1[0].eventTime < 10000) AND (s2.eventTime - s1[last].eventTime < 1000)]
select s1[0].eventTime as startTime, s2.eventTime as endTime
insert into FailedLoginStream;
Hi @fengjian1993 ,
Please try the following Siddhi app:
@App:name("BruteForceDetect") @sink(type='log' , prefix = '>>>Input') define stream LoginStream(log string, eventTime long); @sink(type='log' , prefix = '>>>OutputFailedLoginStream') define stream FailedLoginStream(startTime long, endTime long); from every s1=LoginStream[str:contains(log, 'login failed')] <3:> -> s2=LoginStream[str:contains(log, 'login success') AND (s1[last].eventTime - s1[0].eventTime < 10000) AND (s2.eventTime - s1[last].eventTime < 1000)] select s1[0].eventTime as startTime, s2.eventTime as endTime insert into FailedLoginStream;
Thanks Senthuran!