Will you be so kind, to advice a good using of grayLog in this case:
1.Some bad dude brute forcing account uudecode (we log it, even aggregated)
2.This villain successfully get password and login into system.
3. We make alarm about this case.
I see two options:
- For every successful login we inspect past in log for brute force attempts and raise alarm.
- on every aggregated brute force wait a one minute for success login and raise alarm.
What could I do? What scenario is possible?