Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Question about pattern matching

See original GitHub issue

I want to define a pattern that matches if 4 or more login failures are followed by a successful login, to detect successful brute force password guessing attempts.

With these rules:

@app:playback
define stream LoginFailure (id string, user string, type string);
define stream LoginSuccess (id string, user string, type string);

partition with (user of LoginFailure, user of LoginSuccess)
begin

  from every (e0=LoginFailure) -> e1=LoginFailure<4:> -> e2=LoginSuccess within 30 seconds
  select e1.id as id, e2.user as user
  insert into BreakIn

end;

And the following input:

failureInput.send(++now, new Object[]{"id_1", "hans", "failure"});
failureInput.send(++now, new Object[]{"id_2", "hans", "failure"});
failureInput.send(++now, new Object[]{"id_3", "hans", "failure"});
failureInput.send(++now, new Object[]{"id_4", "hans", "failure"});
failureInput.send(++now, new Object[]{"id_5", "hans", "failure"});
failureInput.send(++now, new Object[]{"id_6", "hans", "failure"});
successInput.send(++now, new Object[]{"id_7"  "hans", "success"});

// second breakin

failureInput.send(++now, new Object[]{"id_8",  "werner", "failure"});
failureInput.send(++now, new Object[]{"id_9",  "werner", "failure"});
failureInput.send(++now, new Object[]{"id_10", "werner", "failure"});
failureInput.send(++now, new Object[]{"id_11", "werner", "failure"});
failureInput.send(++now, new Object[]{"id_12", "werner", "failure"});
failureInput.send(++now, new Object[]{"id_13", "werner", "failure"});
failureInput.send(++now, new Object[]{"id_14", "werner", "failure"});
failureInput.send(++now, new Object[]{"id_15", "werner", "failure"});
successInput.send(++now, new Object[]{"id_16"  "werner", "success"});

It generates a breakin event for every pattern combination of e0 and e2 Like so:

SSHBreakIn:     [Event{timestamp=7, data=[id_2, hans], isExpired=false}]
SSHBreakIn:     [Event{timestamp=7, data=[id_3, hans], isExpired=false}]

SSHBreakIn:     [Event{timestamp=16, data=[id_9, werner], isExpired=false}]
SSHBreakIn:     [Event{timestamp=16, data=[id_10, werner], isExpired=false}]
SSHBreakIn:     [Event{timestamp=16, data=[id_11, werner], isExpired=false}]
SSHBreakIn:     [Event{timestamp=16, data=[id_12, werner], isExpired=false}]

How can I write the pattern to only produce one event? If I remove the every keyword the first match it works only once, the events for user werner are not emitted.

Thanks in advance

Affected Siddhi Version: 4.4.9

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:7 (2 by maintainers)

github_iconTop GitHub Comments

1reaction
tammypicommented, May 27, 2019

I have a question. If I use: from every e0=LoginFailure<4:> -> e2=LoginSuccess[e0[0].user==user] within 30 seconds "

How can I get all id of e0?

for example the data is:

id_1,han,failure id_2,han,failure id_3,han,failure id_4,han,failure id_5,han,failure id_6,han,success

How can I generate a event like below: Event(ids:[id_1,id_2,id_3,id_4,id_5],user:han,type:brutefurce_success) Ps: The number of e0 is 4 or more times, not a certain number.

@grainier Could you please answer my question?

0reactions
suhothayancommented, Aug 6, 2019

Thanks for reporting this issue, I was able to reproduce the issues. I have made some changes to fix this with Siddhi Core 5.1.2.

With the fixes, the following code will solve your issues

define stream LoginFailure (id string, user string, type string);
define stream LoginSuccess (id string, user string, type string);

@purge(enable='true', interval='15 sec', idle.period='2 min')
partition with (user of LoginFailure, user of LoginSuccess)
begin
    from every (e1=LoginFailure<1:> -> e2=LoginSuccess) within 30 seconds 
    select e1[0].id as id, e1[3].id as id4
    having not(id4 is null)
    insert into BreakIn
end;

Here the partition purge idle.period should be greater than the expected wait time you will use in the query, which is in your case 30 seconds.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Pattern-match question type - MoodleDocs
Pattern-match questions allow the student to give an answer of up to about 20 words, which can then be automatically graded by matching...
Read more >
Pattern Matching - Science topic - ResearchGate
In computer science, pattern matching is the act of checking a given sequence of tokens for the presence of the constituents of some...
Read more >
Question Answering By Pattern Matching, Web-Proofing ...
For questions with a simple answer pattern, the answer candidates can be found by fixed pattern matching. As for those with complex answer...
Read more >
Pattern recognition practice questions - IQ Test Labs
Answered correctly by less than half the people. Discern patterns in matrices. Find order in chaos! Begin. whatshot Latest questions ...
Read more >
20 Pattern Matching Interview Questions and Answers - CLIMB
1. Can you explain what the term pattern matching means? · 2. What are some common uses of pattern matching? · 3. Can...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

How to store data into hazelcast.

Next page

Siddhi CEP 3.1.0 hit deadlock condition on pattern query execution