[rules-users] CEP Rule Help Needed
Nestor Tarin Burriel
nestabur at gmail.com
Wed Jul 22 05:30:16 EDT 2009
Hi Edson,
Thanks for the fix, but the problem still happens :(
Here my complete .drl file:
package Correlator
global com.s2grupo.triton.global.Context Context
declare Snort
@role( event )
icmp_code: String
tcp_sport: String
data: String
sig_rev: String
tcp_dport: String
udp_sport: String
hostname: String
interface: String
sig_priority: String
icmp_type: String
id: java.lang.Long
sig_class_name: String
ip_dst: String
sig_name: String
udp_dport: String
ip_src: String
event_date: java.util.Date
end
rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
then
System.out.println("****************** Snort Alert!!!!" +
$s1.getData());
retract($s1);
end
rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "Correlator"
then
retract($s2);
System.out.println(" ********* Deleting Fact From WM");
end
rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from
entry-point "Correlator"
then
System.out.println("********* Snort Alert 0!!" + $s1.getData());
end
As you can see, I'm trying to correlate snort events with drools.
With this scenario, the only rule that is firing is "SnortRule0"
2009/7/21 Edson Tirelli <tirelli at post.com>
>
> Your rule is wrong, as you are defining 3 patterns and the second
> pattern is looking for a fact in the main entry point, not your defined
> "MyEntryPoint".
> Fix it doing:
>
> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
> [0m,5m] $s1) from entry-point "MyEntryPoint"
>
> []s
> Edson
>
> 2009/7/21 nestabur <nestabur at gmail.com>
>
>
>> Hi all,
>>
>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>>
>> The rule is:
>> ===============
>> rule "RetractOlderFacts"
>> dialect "mvel"
>> when
>> $s1 : MyModel( name != "aaa") from entry-point
>> "MyEntryPoint"
>> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
>> and MyModel (
>> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>> then
>> retract($s2);
>> System.out.println(" ********* Retracting from WM");
>> end
>> ===============
>>
>> The scenario is:
>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another
>> with same ip and different id after a period between 0 and 5 minutes the
>> rule have to retract the last one and keep the first fact (the older one)"
>>
>> After receiving hundred and hundred of facts via JMS that may match with
>> the
>> rule condition, the rule never throws!
>>
>> is the rule correct?
>> could the problem be at the rule engine implementation?
>>
>> Could anyone hel me please?
>>
>> Thanks in advance,
>>
>> nestabur
>> --
>> View this message in context:
>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
>> Sent from the drools - user mailing list archive at Nabble.com.
>>
>> _______________________________________________
>> rules-users mailing list
>> rules-users at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20090722/e0c099fd/attachment.html
More information about the rules-users
mailing list