[rules-users] CEP Rule Help Needed

Nestor Tarin Burriel nestabur at gmail.com
Thu Jul 23 04:06:47 EDT 2009 

Yes, that is the purpose ;)

I will try ;)

Thanks 4 your help

2009/7/22 Greg Barton <greg_barton at yahoo.com>

>
> Ah, overlooked that second rule.  Have you tried the overlap operator?
>
> So, just to clarify, the purpose of the two rules should be:
>
> SnortRule: If two Snort events that are not port scans of an open port on
> the same destination arrive more than 5 minutes apart, delete the earlier
> one.
>
> SnortRuleRetract: If two Snort events that are not port scans of an open
> port on any two destinations arrive within 5 minutes of each other, delete
> the earlier one.
>
> Have you tried removing the temporal operators completely, just for testing
> purposes?  What happens?  i.e.
>
> "TimelessSnortRule"
>         $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
>         $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst) from entry-point "Correlator"
>
> "TimelessSnortRuleRetract"
>         $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
>         $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
> from entry-point "Correlator"
>
>
> --- On Wed, 7/22/09, Nestor Tarin Burriel <nestabur at gmail.com> wrote:
>
> > From: Nestor Tarin Burriel <nestabur at gmail.com>
> > Subject: Re: [rules-users] CEP Rule Help Needed
> > To: "Rules Users List" <rules-users at lists.jboss.org>
> > Date: Wednesday, July 22, 2009, 1:47 PM
> > Thanks Greg,
> >
> > As you can see in the code I sent, I have the 2
> > implementations:
> >
> > "SnortRule"
> >
> >         $s1 : Snort( sig_name !=
> > "(portscan) Open Port") from entry-point
> > "Correlator"
> >
> >         $s2 : Snort( sig_name != "(portscan)
> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [5m] $s1) from entry-point "Correlator"
> >
> >
> > "SnortRuleRetract"
> >         $s1 : Snort( sig_name !=
> > "(portscan) Open Port") from entry-point
> > "Correlator"
> >         $s2 : Snort ( sig_name != "(portscan)
> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from
> > entry-point "Correlator"
> >
> >
> > and any of them are thrown
> >
> > ...
> >
> > 2009/7/22 Greg Barton <greg_barton at yahoo.com>
> >
> >
> >
> > Maybe this is a problem of language.  Here's what you
> > say the rule should do:
> >
> >
> >
> > 'After receiving a fact "MyModel" wich name
> > != "aaa", if arrives another
> >
> > with same ip and different id after a
> > period between 0 and 5 minutes the
> >
> > rule have to retract the last one and keep the first
> > fact (the older one)'
> >
> >
> >
> > Which I would interpret as "Event 1 comes in, then
> > event 2 comes in between 0 and 5 minutes later."  Does
> > that sound right?
> >
> >
> >
> > And here's the rule that you think fits the
> > requirements:
> >
> >
> >
> > rule "SnortRule"
> >
> >     salience 2
> >
> >     dialect "mvel"
> >
> >     when
> >
> >         $s1 : Snort( sig_name != "(portscan) Open
> > Port") from entry-point "Correlator"
> >
> >         $s2 : Snort( sig_name != "(portscan) Open
> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [5m] $s1) from entry-point "Correlator"
> >
> >     then
> >
> >         System.out.println("******************
> > Snort Alert!!!!" + $s1.getData());
> >
> >         retract($s1);
> >
> > end
> >
> >
> >
> > Check out the docs, though:
> >
> >
> >
> >
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
> >
> >
> >
> >
> > The after operator in this case would check that (5m <=
> > $s2.startTimestamp - $s1.endTimeStamp <= +infinity).
> >
> >
> >
> > So the rule actually implements "Event 1 comes in,
> > then event 2 happens at leat 5 minutes later."
> >
> >
> >
> > If you use the second argument of after I think it would
> > work:
> >
> >
> >
> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
> > id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [0m,5m] $s1) from entry-point "Correlator"
> >
> >
> >
> > According to the docs this should check that (0m <=
> > $s2.startTimestamp - $s1.endTimeStamp <= 5m).
> >
> >
> >
> > You could alternately use "overlaps".  Place an
> > @duration(5m) annotation on the Snort declaration and try
> > this condition:
> >
> >
> >
> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
> > id != $s1.id, ip_dst == $s1.ip_dst, this
> > overlaps $s1) from entry-point "Correlator"
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> >
> > rules-users mailing list
> >
> > rules-users at lists.jboss.org
> >
> > https://lists.jboss.org/mailman/listinfo/rules-users
> >
> >
> >
> >
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > rules-users mailing list
> > rules-users at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/rules-users
> >
>
>
>
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20090723/224a363a/attachment.html

More information about the rules-users mailing list