[rules-users] CEP Rule Help Needed

Nestor Tarin Burriel nestabur at gmail.com
Thu Jul 23 10:47:56 EDT 2009 

Finally I've solved my problem. It was in the engine:

Looking the doc, for inserting a new fact into a stream of the working
memory says:

 ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();

Which is perfect but not for my enviroment ;), I was inserting the events in
differents WM cause in each one I did
ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact); so I
solved it doing:

myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);

for (Fact a : Facts)
     myWorkingMemoryEP.insert(a);

I dont know if this is the correct use of EntryPoints bu it works!

Thanks to everybody especially Greg and Priya :)

2009/7/23 PriyaKathan <nash.8103 at gmail.com>

> Hi
>
> Find attached  working example for CEP rule with the scenario you stated.
> Here I used Psuedo clock.
> Hope this would help you to understand better.
>
> Regards,
> Priya
>
>
> 2009/7/23 Nestor Tarin Burriel <nestabur at gmail.com>
>
>> Hi again Greg,
>>
>> I've tried your suggestion and it seems like the facts that is the rule
>> checking are the same.
>>
>> This is my last try:
>>
>> rule "SnortRuleRetract"
>>     dialect "mvel"
>>     when
>>         $s1 : Snort( sig_name != "(portscan) Open Port")
>>         $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
>>     then
>>         retract($s2);
>>         System.out.println(" ********* Deleting from WM");
>> end
>>
>> And is never fired ...
>>
>> There are no more rules in the package, this is the only one ... so I
>> don't understand anything ... could be the error in the engine? I dont
>> retract any fact ... as you can see in my code ...
>>
>> NEStor
>>
>> 2009/7/23 Nestor Tarin Burriel <nestabur at gmail.com>
>>
>> Yes, that is the purpose ;)
>>>
>>> I will try ;)
>>>
>>> Thanks 4 your help
>>>
>>>
>>> 2009/7/22 Greg Barton <greg_barton at yahoo.com>
>>>
>>>>
>>>> Ah, overlooked that second rule.  Have you tried the overlap operator?
>>>>
>>>> So, just to clarify, the purpose of the two rules should be:
>>>>
>>>> SnortRule: If two Snort events that are not port scans of an open port
>>>> on the same destination arrive more than 5 minutes apart, delete the earlier
>>>> one.
>>>>
>>>> SnortRuleRetract: If two Snort events that are not port scans of an open
>>>> port on any two destinations arrive within 5 minutes of each other, delete
>>>> the earlier one.
>>>>
>>>> Have you tried removing the temporal operators completely, just for
>>>> testing purposes?  What happens?  i.e.
>>>>
>>>> "TimelessSnortRule"
>>>>         $s1 : Snort( sig_name != "(portscan) Open Port") from
>>>> entry-point "Correlator"
>>>>         $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
>>>> ip_dst == $s1.ip_dst) from entry-point "Correlator"
>>>>
>>>> "TimelessSnortRuleRetract"
>>>>         $s1 : Snort( sig_name != "(portscan) Open Port") from
>>>> entry-point "Correlator"
>>>>         $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
>>>> from entry-point "Correlator"
>>>>
>>>>
>>>> --- On Wed, 7/22/09, Nestor Tarin Burriel <nestabur at gmail.com> wrote:
>>>>
>>>> > From: Nestor Tarin Burriel <nestabur at gmail.com>
>>>> > Subject: Re: [rules-users] CEP Rule Help Needed
>>>> > To: "Rules Users List" <rules-users at lists.jboss.org>
>>>> > Date: Wednesday, July 22, 2009, 1:47 PM
>>>> > Thanks Greg,
>>>> >
>>>> > As you can see in the code I sent, I have the 2
>>>> > implementations:
>>>> >
>>>> > "SnortRule"
>>>> >
>>>> >         $s1 : Snort( sig_name !=
>>>> > "(portscan) Open Port") from entry-point
>>>> > "Correlator"
>>>> >
>>>> >         $s2 : Snort( sig_name != "(portscan)
>>>> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
>>>> > after [5m] $s1) from entry-point "Correlator"
>>>> >
>>>> >
>>>> > "SnortRuleRetract"
>>>> >         $s1 : Snort( sig_name !=
>>>> > "(portscan) Open Port") from entry-point
>>>> > "Correlator"
>>>> >         $s2 : Snort ( sig_name != "(portscan)
>>>> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from
>>>> > entry-point "Correlator"
>>>> >
>>>> >
>>>> > and any of them are thrown
>>>> >
>>>> > ...
>>>> >
>>>> > 2009/7/22 Greg Barton <greg_barton at yahoo.com>
>>>> >
>>>> >
>>>> >
>>>> > Maybe this is a problem of language.  Here's what you
>>>> > say the rule should do:
>>>> >
>>>> >
>>>> >
>>>> > 'After receiving a fact "MyModel" wich name
>>>> > != "aaa", if arrives another
>>>> >
>>>> > with same ip and different id after a
>>>> > period between 0 and 5 minutes the
>>>> >
>>>> > rule have to retract the last one and keep the first
>>>> > fact (the older one)'
>>>> >
>>>> >
>>>> >
>>>> > Which I would interpret as "Event 1 comes in, then
>>>> > event 2 comes in between 0 and 5 minutes later."  Does
>>>> > that sound right?
>>>> >
>>>> >
>>>> >
>>>> > And here's the rule that you think fits the
>>>> > requirements:
>>>> >
>>>> >
>>>> >
>>>> > rule "SnortRule"
>>>> >
>>>> >     salience 2
>>>> >
>>>> >     dialect "mvel"
>>>> >
>>>> >     when
>>>> >
>>>> >         $s1 : Snort( sig_name != "(portscan) Open
>>>> > Port") from entry-point "Correlator"
>>>> >
>>>> >         $s2 : Snort( sig_name != "(portscan) Open
>>>> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
>>>> > after [5m] $s1) from entry-point "Correlator"
>>>> >
>>>> >     then
>>>> >
>>>> >         System.out.println("******************
>>>> > Snort Alert!!!!" + $s1.getData());
>>>> >
>>>> >         retract($s1);
>>>> >
>>>> > end
>>>> >
>>>> >
>>>> >
>>>> > Check out the docs, though:
>>>> >
>>>> >
>>>> >
>>>> >
>>>> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > The after operator in this case would check that (5m <=
>>>> > $s2.startTimestamp - $s1.endTimeStamp <= +infinity).
>>>> >
>>>> >
>>>> >
>>>> > So the rule actually implements "Event 1 comes in,
>>>> > then event 2 happens at leat 5 minutes later."
>>>> >
>>>> >
>>>> >
>>>> > If you use the second argument of after I think it would
>>>> > work:
>>>> >
>>>> >
>>>> >
>>>> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
>>>> > id != $s1.id, ip_dst == $s1.ip_dst, this
>>>> > after [0m,5m] $s1) from entry-point "Correlator"
>>>> >
>>>> >
>>>> >
>>>> > According to the docs this should check that (0m <=
>>>> > $s2.startTimestamp - $s1.endTimeStamp <= 5m).
>>>> >
>>>> >
>>>> >
>>>> > You could alternately use "overlaps".  Place an
>>>> > @duration(5m) annotation on the Snort declaration and try
>>>> > this condition:
>>>> >
>>>> >
>>>> >
>>>> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
>>>> > id != $s1.id, ip_dst == $s1.ip_dst, this
>>>> > overlaps $s1) from entry-point "Correlator"
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> >
>>>> > rules-users mailing list
>>>> >
>>>> > rules-users at lists.jboss.org
>>>> >
>>>> > https://lists.jboss.org/mailman/listinfo/rules-users
>>>> >
>>>> >
>>>> >
>>>> >
>>>> > -----Inline Attachment Follows-----
>>>> >
>>>> > _______________________________________________
>>>> > rules-users mailing list
>>>> > rules-users at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/rules-users
>>>> >
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> rules-users mailing list
>>>> rules-users at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/rules-users
>>>>
>>>
>>>
>>
>> _______________________________________________
>> rules-users mailing list
>> rules-users at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>>
>
>
> --
> Regards,
> PriyaKathan
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20090723/0f108536/attachment.html

More information about the rules-users mailing list