Striim 3.9.7 documentation

HackerCheck
Screen_Shot_2016-01-07_at_10.50.08_AM.png

This flow sends an alert when an access log srcIp value is on a blacklist. The BlackListLookup cache contains the blacklist:

CREATE CACHE BlackListLookup using FileReader (
  directory: 'Samples/MultiLogApp/appData',
  wildcard: 'multiLogBlackList.txt'
)
PARSE USING DSVParser ( )
QUERY (keytomap:'ip') OF IPEntry;

The FindHackers CQ selects access log events that match a blacklist entry:

CREATE CQ FindHackers
INSERT INTO HackerStream
SELECT ale 
FROM AccessStream ale, BlackListLookup bll
WHERE ale.srcIp = bll.ip;

The SendHackingAlerts CQ sends an alert for each such event:

CREATE CQ SendHackingAlerts 
INSERT INTO HackingAlertStream 
SELECT 'HackingAlert', ''+accessTime, 'warning', 'raise',
  'Possible Hacking Attempt from ' + srcIp + ' in ' + IP_COUNTRY(srcIp)
FROM HackerStream;

CREATE SUBSCRIPTION HackingAlertSub 
USING WebAlertAdapter( ) 
INPUT FROM HackingAlertStream;

This flow also creates the UnusualActivity WActionStore that populates various charts and tables on the dashboard:

CREATE TYPE UnusualContext (
    typeOfActivity String,
    accessTime DateTime,
    accessSessionId String,
    srcIp String KEY,
    userId String,
    country String,
    city String,
    lat double,
    lon double
);
CREATE WACTIONSTORE UnusualActivity 
CONTEXT OF UnusualContext ...

The GenerateHackerContext CQ populates UnusualActivity:

CREATE CQ GenerateHackerContext
INSERT INTO UnusualActivity
SELECT 'HackAttempt', accessTime, sessionId, srcIp, userId,
  IP_COUNTRY(srcIp), IP_CITY(srcIP), IP_LAT(srcIP), IP_LON(srcIP)
FROM HackerStream
LINK SOURCE EVENT;

HackAttempt is a literal string that identifies the type of activity. That will distinguish events from this flow from those from the three other flows that populate UnusualActivity.