I'm working on a use case to detect login bruteforce attacks based on some incoming events. To do so I have to use wso2 + siddhi (not optional).
The structure of the Code I've build is:
- Create a partition for each attacked target
- Create windows of 5 seconds
- For each event belonging to the previous window, select all the entries whose Category is "attempt.login"
- insert them into a new table.
Once I have each entry in the new table, I would like to know how many events have been stored in the table, in order to be able to detect brute force or not (If the number of events is greater than 20, for example, that means a bruteforce attacks is taking place).
partition with (Target_IP4 of I_Events)
begin
from I_Events[Category == 'Attempt.Login']#window.time(5 sec)
select meta_EventTime, correlation__id, Source_IP4, Source_Proto, Source_Hostname, Target_IP4, Target_Proto, Target_Hostnmae, Category, count() as attempts
insert into #login_attempts;
from #login_attempts[attempts > 20]#window.time(5 sec)
select ...
insert into alert;
end;
As it can be seen in above chuck of code, I've tried to use the count() function but it doesn't work, it just increases the value by 1 each time a new element is added, for example, the firs element added will have attemps = 1, the second one attemps = 2, etc.
If the above idea can not can not be made... at least anyone knows how to select all the elements of a string if a given condition is fullfilled?. For example if one element of the stream has an attribute set to true, then select all the elements from this stream.
