[rules-users] CEP Rule Help Needed
Greg Barton
greg_barton at yahoo.com
Thu Jul 23 11:46:53 EDT 2009
So do you mean this didn't work:
myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
for (Fact a : Facts)
ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a);
...but this did?
myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
for (Fact a : Facts)
myWorkingMemoryEP.insert(a);
--- On Thu, 7/23/09, Nestor Tarin Burriel <nestabur at gmail.com> wrote:
> From: Nestor Tarin Burriel <nestabur at gmail.com>
> Subject: Re: [rules-users] CEP Rule Help Needed
> To: "Rules Users List" <rules-users at lists.jboss.org>
> Date: Thursday, July 23, 2009, 9:47 AM
> Finally I've solved my problem. It
> was in the engine:
>
> Looking the doc, for inserting a new fact into a stream of
> the working memory says:
>
> ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();
>
>
> Which is perfect but not for my enviroment ;), I was
> inserting the events in differents WM cause in each one I
> did
> ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact);
> so I solved it doing:
>
>
> myWorkingMemoryEP =
> ksession.getWorkingMemoryEntryPoint(correlatorName);
>
> for (Fact a : Facts)
> myWorkingMemoryEP.insert(a);
>
> I dont know if this is the correct use of EntryPoints bu it
> works!
>
>
> Thanks to everybody especially Greg and Priya :)
>
> 2009/7/23 PriyaKathan <nash.8103 at gmail.com>
>
> Hi
>
> Find attached working example for CEP rule with the
> scenario you stated.Here I used Psuedo
> clock.Hope this would help you to understand
> better.
> Regards,
>
> Priya
>
> 2009/7/23 Nestor Tarin Burriel
> <nestabur at gmail.com>
>
>
> Hi again Greg,
>
> I've tried your suggestion and it seems like the facts
> that is the rule checking are the same.
>
> This is my last try:
>
> rule "SnortRuleRetract"
> dialect "mvel"
>
>
>
> when
> $s1 : Snort( sig_name != "(portscan)
> Open Port")
> $s2 : Snort ( sig_name !=
> "(portscan) Open Port" , id != $s1.id)
> then
>
>
> retract($s2);
>
> System.out.println(" ********* Deleting
> from WM");
> end
>
> And is never fired ...
>
> There are no more rules in the package, this is the only
> one ... so I don't understand anything ... could be the
> error in the engine? I dont retract any fact ... as you can
> see in my code ...
>
>
>
>
> NEStor
>
> 2009/7/23 Nestor Tarin Burriel
> <nestabur at gmail.com>
>
>
>
> Yes, that is the purpose ;)
>
> I will try ;)
>
> Thanks 4 your help
>
> 2009/7/22 Greg Barton <greg_barton at yahoo.com>
>
>
>
>
>
>
> Ah, overlooked that second rule. Have you tried the
> overlap operator?
>
>
>
> So, just to clarify, the purpose of the two rules should
> be:
>
>
>
> SnortRule: If two Snort events that are not port scans of
> an open port on the same destination arrive more than 5
> minutes apart, delete the earlier one.
>
>
>
> SnortRuleRetract: If two Snort events that are not port
> scans of an open port on any two destinations arrive within
> 5 minutes of each other, delete the earlier one.
>
>
>
> Have you tried removing the temporal operators completely,
> just for testing purposes? What happens? i.e.
>
>
>
> "TimelessSnortRule"
>
> $s1 : Snort( sig_name != "(portscan)
> Open Port") from entry-point "Correlator"
>
> $s2 : Snort( sig_name != "(portscan)
> Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from
> entry-point "Correlator"
>
>
>
> "TimelessSnortRuleRetract"
>
> $s1 : Snort( sig_name != "(portscan)
> Open Port") from entry-point "Correlator"
>
> $s2 : Snort ( sig_name !=
> "(portscan) Open Port" , id != $s1.id) from
> entry-point "Correlator"
>
>
>
>
>
> --- On Wed, 7/22/09, Nestor Tarin Burriel <nestabur at gmail.com>
> wrote:
>
>
>
> > From: Nestor Tarin Burriel <nestabur at gmail.com>
>
> > Subject: Re: [rules-users] CEP Rule Help Needed
>
> > To: "Rules Users List" <rules-users at lists.jboss.org>
>
> > Date: Wednesday, July 22, 2009, 1:47 PM
>
> > Thanks Greg,
>
> >
>
> > As you can see in the code I sent, I have the 2
>
> > implementations:
>
> >
>
> > "SnortRule"
>
> >
>
> > $s1 : Snort( sig_name !=
>
> > "(portscan) Open Port") from entry-point
>
> > "Correlator"
>
> >
>
> > $s2 : Snort( sig_name !=
> "(portscan)
>
> > Open Port" , id != $s1.id, ip_dst ==
> $s1.ip_dst, this
>
> > after [5m] $s1) from entry-point
> "Correlator"
>
> >
>
> >
>
> > "SnortRuleRetract"
>
> > $s1 : Snort( sig_name !=
>
> > "(portscan) Open Port") from entry-point
>
> > "Correlator"
>
> > $s2 : Snort ( sig_name !=
> "(portscan)
>
> > Open Port" , id != $s1.id, this after
> [0m,5m] $s1) from
>
> > entry-point "Correlator"
>
> >
>
> >
>
> > and any of them are thrown
>
> >
>
> > ...
>
> >
>
> > 2009/7/22 Greg Barton <greg_barton at yahoo.com>
>
> >
>
> >
>
> >
>
> > Maybe this is a problem of language. Here's what
> you
>
> > say the rule should do:
>
> >
>
> >
>
> >
>
> > 'After receiving a fact "MyModel" wich
> name
>
> > != "aaa", if arrives another
>
> >
>
> > with same ip and different id after a
>
> > period between 0 and 5 minutes the
>
> >
>
> > rule have to retract the last one and keep the first
>
> > fact (the older one)'
>
> >
>
> >
>
> >
>
> > Which I would interpret as "Event 1 comes in,
> then
>
> > event 2 comes in between 0 and 5 minutes later."
> Does
>
> > that sound right?
>
> >
>
> >
>
> >
>
> > And here's the rule that you think fits the
>
> > requirements:
>
> >
>
> >
>
> >
>
> > rule "SnortRule"
>
> >
>
> > salience 2
>
> >
>
> > dialect "mvel"
>
> >
>
> > when
>
> >
>
> > $s1 : Snort( sig_name != "(portscan)
> Open
>
> > Port") from entry-point "Correlator"
>
> >
>
> > $s2 : Snort( sig_name != "(portscan)
> Open
>
> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
>
> > after [5m] $s1) from entry-point
> "Correlator"
>
> >
>
> > then
>
> >
>
> >
> System.out.println("******************
>
> > Snort Alert!!!!" + $s1.getData());
>
> >
>
> > retract($s1);
>
> >
>
> > end
>
> >
>
> >
>
> >
>
> > Check out the docs, though:
>
> >
>
> >
>
> >
>
> > https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
>
>
>
>
>
> >
>
> >
>
> >
>
> >
>
> > The after operator in this case would check that (5m
> <=
>
> > $s2.startTimestamp - $s1.endTimeStamp <=
> +infinity).
>
> >
>
> >
>
> >
>
> > So the rule actually implements "Event 1 comes
> in,
>
> > then event 2 happens at leat 5 minutes later."
>
> >
>
> >
>
> >
>
> > If you use the second argument of after I think it
> would
>
> > work:
>
> >
>
> >
>
> >
>
> > $s2 : Snort( sig_name != "(portscan) Open
> Port" ,
>
> > id != $s1.id, ip_dst == $s1.ip_dst, this
>
> > after [0m,5m] $s1) from entry-point
> "Correlator"
>
> >
>
> >
>
> >
>
> > According to the docs this should check that (0m
> <=
>
> > $s2.startTimestamp - $s1.endTimeStamp <= 5m).
>
> >
>
> >
>
> >
>
> > You could alternately use "overlaps".
> Place an
>
> > @duration(5m) annotation on the Snort declaration and
> try
>
> > this condition:
>
> >
>
> >
>
> >
>
> > $s2 : Snort( sig_name != "(portscan) Open
> Port" ,
>
> > id != $s1.id, ip_dst == $s1.ip_dst, this
>
> > overlaps $s1) from entry-point "Correlator"
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> > _______________________________________________
>
> >
>
> > rules-users mailing list
>
> >
>
> > rules-users at lists.jboss.org
>
> >
>
> > https://lists.jboss.org/mailman/listinfo/rules-users
>
> >
>
> >
>
> >
>
> >
>
> > -----Inline Attachment Follows-----
>
> >
>
> > _______________________________________________
>
> > rules-users mailing list
>
> > rules-users at lists.jboss.org
>
> > https://lists.jboss.org/mailman/listinfo/rules-users
>
> >
>
>
>
>
>
>
>
>
>
> _______________________________________________
>
> rules-users mailing list
>
> rules-users at lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
>
>
>
>
> _______________________________________________
>
> rules-users mailing list
>
> rules-users at lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
>
>
>
> --
> Regards,
> PriyaKathan
>
>
>
> _______________________________________________
>
> rules-users mailing list
>
> rules-users at lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
>
>
>
> -----Inline Attachment Follows-----
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
More information about the rules-users
mailing list