[rules-users] CEP Rule Help Needed
Nestor Tarin Burriel
nestabur at gmail.com
Thu Jul 23 12:27:36 EDT 2009
In my case yes...
2009/7/23 Greg Barton <greg_barton at yahoo.com>
>
> So do you mean this didn't work:
>
> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
>
> for (Fact a : Facts)
> ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a);
>
> ...but this did?
>
> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
>
> for (Fact a : Facts)
> myWorkingMemoryEP.insert(a);
>
>
> --- On Thu, 7/23/09, Nestor Tarin Burriel <nestabur at gmail.com> wrote:
>
> > From: Nestor Tarin Burriel <nestabur at gmail.com>
> > Subject: Re: [rules-users] CEP Rule Help Needed
> > To: "Rules Users List" <rules-users at lists.jboss.org>
> > Date: Thursday, July 23, 2009, 9:47 AM
> > Finally I've solved my problem. It
> > was in the engine:
> >
> > Looking the doc, for inserting a new fact into a stream of
> > the working memory says:
> >
> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();
> >
> >
> > Which is perfect but not for my enviroment ;), I was
> > inserting the events in differents WM cause in each one I
> > did
> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact);
> > so I solved it doing:
> >
> >
> > myWorkingMemoryEP =
> > ksession.getWorkingMemoryEntryPoint(correlatorName);
> >
> > for (Fact a : Facts)
> > myWorkingMemoryEP.insert(a);
> >
> > I dont know if this is the correct use of EntryPoints bu it
> > works!
> >
> >
> > Thanks to everybody especially Greg and Priya :)
> >
> > 2009/7/23 PriyaKathan <nash.8103 at gmail.com>
> >
> > Hi
> >
> > Find attached working example for CEP rule with the
> > scenario you stated.Here I used Psuedo
> > clock.Hope this would help you to understand
> > better.
> > Regards,
> >
> > Priya
> >
> > 2009/7/23 Nestor Tarin Burriel
> > <nestabur at gmail.com>
> >
> >
> > Hi again Greg,
> >
> > I've tried your suggestion and it seems like the facts
> > that is the rule checking are the same.
> >
> > This is my last try:
> >
> > rule "SnortRuleRetract"
> > dialect "mvel"
> >
> >
> >
> > when
> > $s1 : Snort( sig_name != "(portscan)
> > Open Port")
> > $s2 : Snort ( sig_name !=
> > "(portscan) Open Port" , id != $s1.id)
> > then
> >
> >
> > retract($s2);
> >
> > System.out.println(" ********* Deleting
> > from WM");
> > end
> >
> > And is never fired ...
> >
> > There are no more rules in the package, this is the only
> > one ... so I don't understand anything ... could be the
> > error in the engine? I dont retract any fact ... as you can
> > see in my code ...
> >
> >
> >
> >
> > NEStor
> >
> > 2009/7/23 Nestor Tarin Burriel
> > <nestabur at gmail.com>
> >
> >
> >
> > Yes, that is the purpose ;)
> >
> > I will try ;)
> >
> > Thanks 4 your help
> >
> > 2009/7/22 Greg Barton <greg_barton at yahoo.com>
> >
> >
> >
> >
> >
> >
> > Ah, overlooked that second rule. Have you tried the
> > overlap operator?
> >
> >
> >
> > So, just to clarify, the purpose of the two rules should
> > be:
> >
> >
> >
> > SnortRule: If two Snort events that are not port scans of
> > an open port on the same destination arrive more than 5
> > minutes apart, delete the earlier one.
> >
> >
> >
> > SnortRuleRetract: If two Snort events that are not port
> > scans of an open port on any two destinations arrive within
> > 5 minutes of each other, delete the earlier one.
> >
> >
> >
> > Have you tried removing the temporal operators completely,
> > just for testing purposes? What happens? i.e.
> >
> >
> >
> > "TimelessSnortRule"
> >
> > $s1 : Snort( sig_name != "(portscan)
> > Open Port") from entry-point "Correlator"
> >
> > $s2 : Snort( sig_name != "(portscan)
> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from
> > entry-point "Correlator"
> >
> >
> >
> > "TimelessSnortRuleRetract"
> >
> > $s1 : Snort( sig_name != "(portscan)
> > Open Port") from entry-point "Correlator"
> >
> > $s2 : Snort ( sig_name !=
> > "(portscan) Open Port" , id != $s1.id) from
> > entry-point "Correlator"
> >
> >
> >
> >
> >
> > --- On Wed, 7/22/09, Nestor Tarin Burriel <nestabur at gmail.com>
> > wrote:
> >
> >
> >
> > > From: Nestor Tarin Burriel <nestabur at gmail.com>
> >
> > > Subject: Re: [rules-users] CEP Rule Help Needed
> >
> > > To: "Rules Users List" <rules-users at lists.jboss.org>
> >
> > > Date: Wednesday, July 22, 2009, 1:47 PM
> >
> > > Thanks Greg,
> >
> > >
> >
> > > As you can see in the code I sent, I have the 2
> >
> > > implementations:
> >
> > >
> >
> > > "SnortRule"
> >
> > >
> >
> > > $s1 : Snort( sig_name !=
> >
> > > "(portscan) Open Port") from entry-point
> >
> > > "Correlator"
> >
> > >
> >
> > > $s2 : Snort( sig_name !=
> > "(portscan)
> >
> > > Open Port" , id != $s1.id, ip_dst ==
> > $s1.ip_dst, this
> >
> > > after [5m] $s1) from entry-point
> > "Correlator"
> >
> > >
> >
> > >
> >
> > > "SnortRuleRetract"
> >
> > > $s1 : Snort( sig_name !=
> >
> > > "(portscan) Open Port") from entry-point
> >
> > > "Correlator"
> >
> > > $s2 : Snort ( sig_name !=
> > "(portscan)
> >
> > > Open Port" , id != $s1.id, this after
> > [0m,5m] $s1) from
> >
> > > entry-point "Correlator"
> >
> > >
> >
> > >
> >
> > > and any of them are thrown
> >
> > >
> >
> > > ...
> >
> > >
> >
> > > 2009/7/22 Greg Barton <greg_barton at yahoo.com>
> >
> > >
> >
> > >
> >
> > >
> >
> > > Maybe this is a problem of language. Here's what
> > you
> >
> > > say the rule should do:
> >
> > >
> >
> > >
> >
> > >
> >
> > > 'After receiving a fact "MyModel" wich
> > name
> >
> > > != "aaa", if arrives another
> >
> > >
> >
> > > with same ip and different id after a
> >
> > > period between 0 and 5 minutes the
> >
> > >
> >
> > > rule have to retract the last one and keep the first
> >
> > > fact (the older one)'
> >
> > >
> >
> > >
> >
> > >
> >
> > > Which I would interpret as "Event 1 comes in,
> > then
> >
> > > event 2 comes in between 0 and 5 minutes later."
> > Does
> >
> > > that sound right?
> >
> > >
> >
> > >
> >
> > >
> >
> > > And here's the rule that you think fits the
> >
> > > requirements:
> >
> > >
> >
> > >
> >
> > >
> >
> > > rule "SnortRule"
> >
> > >
> >
> > > salience 2
> >
> > >
> >
> > > dialect "mvel"
> >
> > >
> >
> > > when
> >
> > >
> >
> > > $s1 : Snort( sig_name != "(portscan)
> > Open
> >
> > > Port") from entry-point "Correlator"
> >
> > >
> >
> > > $s2 : Snort( sig_name != "(portscan)
> > Open
> >
> > > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> >
> > > after [5m] $s1) from entry-point
> > "Correlator"
> >
> > >
> >
> > > then
> >
> > >
> >
> > >
> > System.out.println("******************
> >
> > > Snort Alert!!!!" + $s1.getData());
> >
> > >
> >
> > > retract($s1);
> >
> > >
> >
> > > end
> >
> > >
> >
> > >
> >
> > >
> >
> > > Check out the docs, though:
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
> >
> >
> >
> >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > > The after operator in this case would check that (5m
> > <=
> >
> > > $s2.startTimestamp - $s1.endTimeStamp <=
> > +infinity).
> >
> > >
> >
> > >
> >
> > >
> >
> > > So the rule actually implements "Event 1 comes
> > in,
> >
> > > then event 2 happens at leat 5 minutes later."
> >
> > >
> >
> > >
> >
> > >
> >
> > > If you use the second argument of after I think it
> > would
> >
> > > work:
> >
> > >
> >
> > >
> >
> > >
> >
> > > $s2 : Snort( sig_name != "(portscan) Open
> > Port" ,
> >
> > > id != $s1.id, ip_dst == $s1.ip_dst, this
> >
> > > after [0m,5m] $s1) from entry-point
> > "Correlator"
> >
> > >
> >
> > >
> >
> > >
> >
> > > According to the docs this should check that (0m
> > <=
> >
> > > $s2.startTimestamp - $s1.endTimeStamp <= 5m).
> >
> > >
> >
> > >
> >
> > >
> >
> > > You could alternately use "overlaps".
> > Place an
> >
> > > @duration(5m) annotation on the Snort declaration and
> > try
> >
> > > this condition:
> >
> > >
> >
> > >
> >
> > >
> >
> > > $s2 : Snort( sig_name != "(portscan) Open
> > Port" ,
> >
> > > id != $s1.id, ip_dst == $s1.ip_dst, this
> >
> > > overlaps $s1) from entry-point "Correlator"
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > > _______________________________________________
> >
> > >
> >
> > > rules-users mailing list
> >
> > >
> >
> > > rules-users at lists.jboss.org
> >
> > >
> >
> > > https://lists.jboss.org/mailman/listinfo/rules-users
> >
> > >
> >
> > >
> >
> > >
> >
> > >
> >
> > > -----Inline Attachment Follows-----
> >
> > >
> >
> > > _______________________________________________
> >
> > > rules-users mailing list
> >
> > > rules-users at lists.jboss.org
> >
> > > https://lists.jboss.org/mailman/listinfo/rules-users
> >
> > >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> >
> > rules-users mailing list
> >
> > rules-users at lists.jboss.org
> >
> > https://lists.jboss.org/mailman/listinfo/rules-users
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> >
> > rules-users mailing list
> >
> > rules-users at lists.jboss.org
> >
> > https://lists.jboss.org/mailman/listinfo/rules-users
> >
> >
> >
> >
> >
> > --
> > Regards,
> > PriyaKathan
> >
> >
> >
> > _______________________________________________
> >
> > rules-users mailing list
> >
> > rules-users at lists.jboss.org
> >
> > https://lists.jboss.org/mailman/listinfo/rules-users
> >
> >
> >
> >
> >
> > -----Inline Attachment Follows-----
> >
> > _______________________________________________
> > rules-users mailing list
> > rules-users at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/rules-users
> >
>
>
>
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20090723/9ac891ab/attachment.html
More information about the rules-users
mailing list