how can i do brute-force detect using siddhi?

[fengj victor]

my required is 

if i receive log contains 'login failed' 3 times wihtin 10 sec and then receive log contains 'login success' within 1 sec

i will receive a message with alert contains first time of 'login failed' detail and 'login success' detail

i am a newer here ;)

thanks for the help

[Senthuran Ambalavanar]

Hi Fengj,

Please try the following Siddhi app: 

@App:name("BruteForceDetect")

@sink(type='log' , prefix = '>>>Input')
define stream LoginStream(log string, eventTime long);

@sink(type='log' , prefix = '>>>OutputFailedLoginStream')
define stream FailedLoginStream(startTime long, endTime long);

from every s1=LoginStream[str:contains(log, 'login failed')] <3:> -> s2=LoginStream[str:contains(log, 'login success')
    AND
(s1[last].eventTime - s1[0].eventTime < 10000) AND (s2.eventTime - s1[last].eventTime < 1000)]
select s1[0].eventTime as startTime, s2.eventTime as endTime
insert into FailedLoginStream;

Thanks,
Senthuran.

--
Siddhi homepage: http://siddhi.io/
Siddhi Github repo: https://github.com/siddhi-io/siddhi
 
You received this message because you are subscribed to the Google Groups "Siddhi-dev" group.
To post to this group, send email to siddh...@googlegroups.com
To unsubscribe from this group, send email to siddhi-dev+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/siddhi-dev?hl=en?hl=en
---
You received this message because you are subscribed to the Google Groups "siddhi-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to siddhi-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/siddhi-dev/87ed886c-f1b5-4b37-bf00-ff2e1484f769n%40googlegroups.com.

--

Senthuran Ambalavanar | Senior Software Engineer | WSO2 Inc.

(m) +94 757 875 887 | (e) sent...@wso2.com | (b) https://medium.com/@senthuran16