[rules-users] CEP Rule Help Needed

Greg Barton greg_barton at yahoo.com
Wed Jul 22 15:36:38 EDT 2009 

Ah, overlooked that second rule.  Have you tried the overlap operator?

So, just to clarify, the purpose of the two rules should be:

SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. 

SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one.

Have you tried removing the temporal operators completely, just for testing purposes?  What happens?  i.e.

"TimelessSnortRule"
        $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"
        $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point "Correlator"

"TimelessSnortRuleRetract"
        $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"
        $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) from entry-point "Correlator"


--- On Wed, 7/22/09, Nestor Tarin Burriel <nestabur at gmail.com> wrote:

> From: Nestor Tarin Burriel <nestabur at gmail.com>
> Subject: Re: [rules-users] CEP Rule Help Needed
> To: "Rules Users List" <rules-users at lists.jboss.org>
> Date: Wednesday, July 22, 2009, 1:47 PM
> Thanks Greg,
> 
> As you can see in the code I sent, I have the 2
> implementations:
> 
> "SnortRule"
> 
>         $s1 : Snort( sig_name !=
> "(portscan) Open Port") from entry-point
> "Correlator"
> 
>         $s2 : Snort( sig_name != "(portscan)
> Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> after [5m] $s1) from entry-point "Correlator"
> 
> 
> "SnortRuleRetract"
>         $s1 : Snort( sig_name !=
> "(portscan) Open Port") from entry-point
> "Correlator"
>         $s2 : Snort ( sig_name != "(portscan)
> Open Port" , id != $s1.id, this after [0m,5m] $s1) from
> entry-point "Correlator"
> 
> 
> and any of them are thrown
> 
> ...
> 
> 2009/7/22 Greg Barton <greg_barton at yahoo.com>
> 
> 
> 
> Maybe this is a problem of language.  Here's what you
> say the rule should do:
> 
> 
> 
> 'After receiving a fact "MyModel" wich name
> != "aaa", if arrives another
> 
> with same ip and different id after a
> period between 0 and 5 minutes the
> 
> rule have to retract the last one and keep the first
> fact (the older one)'
> 
> 
> 
> Which I would interpret as "Event 1 comes in, then
> event 2 comes in between 0 and 5 minutes later."  Does
> that sound right?
> 
> 
> 
> And here's the rule that you think fits the
> requirements:
> 
> 
> 
> rule "SnortRule"
> 
>     salience 2
> 
>     dialect "mvel"
> 
>     when
> 
>         $s1 : Snort( sig_name != "(portscan) Open
> Port") from entry-point "Correlator"
> 
>         $s2 : Snort( sig_name != "(portscan) Open
> Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> after [5m] $s1) from entry-point "Correlator"
> 
>     then
> 
>         System.out.println("******************
> Snort Alert!!!!" + $s1.getData());
> 
>         retract($s1);
> 
> end
> 
> 
> 
> Check out the docs, though:
> 
> 
> 
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
> 
> 
> 
> 
> The after operator in this case would check that (5m <=
> $s2.startTimestamp - $s1.endTimeStamp <= +infinity).
> 
> 
> 
> So the rule actually implements "Event 1 comes in,
> then event 2 happens at leat 5 minutes later."
> 
> 
> 
> If you use the second argument of after I think it would
> work:
> 
> 
> 
> $s2 : Snort( sig_name != "(portscan) Open Port" ,
> id != $s1.id, ip_dst == $s1.ip_dst, this
> after [0m,5m] $s1) from entry-point "Correlator"
> 
> 
> 
> According to the docs this should check that (0m <=
> $s2.startTimestamp - $s1.endTimeStamp <= 5m).
> 
> 
> 
> You could alternately use "overlaps".  Place an
> @duration(5m) annotation on the Snort declaration and try
> this condition:
> 
> 
> 
> $s2 : Snort( sig_name != "(portscan) Open Port" ,
> id != $s1.id, ip_dst == $s1.ip_dst, this
> overlaps $s1) from entry-point "Correlator"
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> 
> rules-users mailing list
> 
> rules-users at lists.jboss.org
> 
> https://lists.jboss.org/mailman/listinfo/rules-users
> 
> 
> 
> 
> -----Inline Attachment Follows-----
> 
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>

More information about the rules-users mailing list