[rules-users] CEP Rule Help Needed
Nestor Tarin Burriel
nestabur at gmail.com
Fri Jul 24 05:21:37 EDT 2009
Hi all again,
At the end I have my rules firing as expected :)
I had to add the expires() attribute at the model, otherwise my facts were
immediatly retracted by the engine.
Thanks to all ;)
NEStor
2009/7/23 Nestor Tarin Burriel <nestabur at gmail.com>
> In my case yes...
>
> 2009/7/23 Greg Barton <greg_barton at yahoo.com>
>
>
>> So do you mean this didn't work:
>>
>> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
>>
>> for (Fact a : Facts)
>> ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a);
>>
>> ...but this did?
>>
>> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
>>
>> for (Fact a : Facts)
>> myWorkingMemoryEP.insert(a);
>>
>>
>> --- On Thu, 7/23/09, Nestor Tarin Burriel <nestabur at gmail.com> wrote:
>>
>> > From: Nestor Tarin Burriel <nestabur at gmail.com>
>> > Subject: Re: [rules-users] CEP Rule Help Needed
>> > To: "Rules Users List" <rules-users at lists.jboss.org>
>> > Date: Thursday, July 23, 2009, 9:47 AM
>> > Finally I've solved my problem. It
>> > was in the engine:
>> >
>> > Looking the doc, for inserting a new fact into a stream of
>> > the working memory says:
>> >
>> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();
>> >
>> >
>> > Which is perfect but not for my enviroment ;), I was
>> > inserting the events in differents WM cause in each one I
>> > did
>> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact);
>> > so I solved it doing:
>> >
>> >
>> > myWorkingMemoryEP =
>> > ksession.getWorkingMemoryEntryPoint(correlatorName);
>> >
>> > for (Fact a : Facts)
>> > myWorkingMemoryEP.insert(a);
>> >
>> > I dont know if this is the correct use of EntryPoints bu it
>> > works!
>> >
>> >
>> > Thanks to everybody especially Greg and Priya :)
>> >
>> > 2009/7/23 PriyaKathan <nash.8103 at gmail.com>
>> >
>> > Hi
>> >
>> > Find attached working example for CEP rule with the
>> > scenario you stated.Here I used Psuedo
>> > clock.Hope this would help you to understand
>> > better.
>> > Regards,
>> >
>> > Priya
>> >
>> > 2009/7/23 Nestor Tarin Burriel
>> > <nestabur at gmail.com>
>> >
>> >
>> > Hi again Greg,
>> >
>> > I've tried your suggestion and it seems like the facts
>> > that is the rule checking are the same.
>> >
>> > This is my last try:
>> >
>> > rule "SnortRuleRetract"
>> > dialect "mvel"
>> >
>> >
>> >
>> > when
>> > $s1 : Snort( sig_name != "(portscan)
>> > Open Port")
>> > $s2 : Snort ( sig_name !=
>> > "(portscan) Open Port" , id != $s1.id)
>> > then
>> >
>> >
>> > retract($s2);
>> >
>> > System.out.println(" ********* Deleting
>> > from WM");
>> > end
>> >
>> > And is never fired ...
>> >
>> > There are no more rules in the package, this is the only
>> > one ... so I don't understand anything ... could be the
>> > error in the engine? I dont retract any fact ... as you can
>> > see in my code ...
>> >
>> >
>> >
>> >
>> > NEStor
>> >
>> > 2009/7/23 Nestor Tarin Burriel
>> > <nestabur at gmail.com>
>> >
>> >
>> >
>> > Yes, that is the purpose ;)
>> >
>> > I will try ;)
>> >
>> > Thanks 4 your help
>> >
>> > 2009/7/22 Greg Barton <greg_barton at yahoo.com>
>> >
>> >
>> >
>> >
>> >
>> >
>> > Ah, overlooked that second rule. Have you tried the
>> > overlap operator?
>> >
>> >
>> >
>> > So, just to clarify, the purpose of the two rules should
>> > be:
>> >
>> >
>> >
>> > SnortRule: If two Snort events that are not port scans of
>> > an open port on the same destination arrive more than 5
>> > minutes apart, delete the earlier one.
>> >
>> >
>> >
>> > SnortRuleRetract: If two Snort events that are not port
>> > scans of an open port on any two destinations arrive within
>> > 5 minutes of each other, delete the earlier one.
>> >
>> >
>> >
>> > Have you tried removing the temporal operators completely,
>> > just for testing purposes? What happens? i.e.
>> >
>> >
>> >
>> > "TimelessSnortRule"
>> >
>> > $s1 : Snort( sig_name != "(portscan)
>> > Open Port") from entry-point "Correlator"
>> >
>> > $s2 : Snort( sig_name != "(portscan)
>> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from
>> > entry-point "Correlator"
>> >
>> >
>> >
>> > "TimelessSnortRuleRetract"
>> >
>> > $s1 : Snort( sig_name != "(portscan)
>> > Open Port") from entry-point "Correlator"
>> >
>> > $s2 : Snort ( sig_name !=
>> > "(portscan) Open Port" , id != $s1.id) from
>> > entry-point "Correlator"
>> >
>> >
>> >
>> >
>> >
>> > --- On Wed, 7/22/09, Nestor Tarin Burriel <nestabur at gmail.com>
>> > wrote:
>> >
>> >
>> >
>> > > From: Nestor Tarin Burriel <nestabur at gmail.com>
>> >
>> > > Subject: Re: [rules-users] CEP Rule Help Needed
>> >
>> > > To: "Rules Users List" <rules-users at lists.jboss.org>
>> >
>> > > Date: Wednesday, July 22, 2009, 1:47 PM
>> >
>> > > Thanks Greg,
>> >
>> > >
>> >
>> > > As you can see in the code I sent, I have the 2
>> >
>> > > implementations:
>> >
>> > >
>> >
>> > > "SnortRule"
>> >
>> > >
>> >
>> > > $s1 : Snort( sig_name !=
>> >
>> > > "(portscan) Open Port") from entry-point
>> >
>> > > "Correlator"
>> >
>> > >
>> >
>> > > $s2 : Snort( sig_name !=
>> > "(portscan)
>> >
>> > > Open Port" , id != $s1.id, ip_dst ==
>> > $s1.ip_dst, this
>> >
>> > > after [5m] $s1) from entry-point
>> > "Correlator"
>> >
>> > >
>> >
>> > >
>> >
>> > > "SnortRuleRetract"
>> >
>> > > $s1 : Snort( sig_name !=
>> >
>> > > "(portscan) Open Port") from entry-point
>> >
>> > > "Correlator"
>> >
>> > > $s2 : Snort ( sig_name !=
>> > "(portscan)
>> >
>> > > Open Port" , id != $s1.id, this after
>> > [0m,5m] $s1) from
>> >
>> > > entry-point "Correlator"
>> >
>> > >
>> >
>> > >
>> >
>> > > and any of them are thrown
>> >
>> > >
>> >
>> > > ...
>> >
>> > >
>> >
>> > > 2009/7/22 Greg Barton <greg_barton at yahoo.com>
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > Maybe this is a problem of language. Here's what
>> > you
>> >
>> > > say the rule should do:
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > 'After receiving a fact "MyModel" wich
>> > name
>> >
>> > > != "aaa", if arrives another
>> >
>> > >
>> >
>> > > with same ip and different id after a
>> >
>> > > period between 0 and 5 minutes the
>> >
>> > >
>> >
>> > > rule have to retract the last one and keep the first
>> >
>> > > fact (the older one)'
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > Which I would interpret as "Event 1 comes in,
>> > then
>> >
>> > > event 2 comes in between 0 and 5 minutes later."
>> > Does
>> >
>> > > that sound right?
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > And here's the rule that you think fits the
>> >
>> > > requirements:
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > rule "SnortRule"
>> >
>> > >
>> >
>> > > salience 2
>> >
>> > >
>> >
>> > > dialect "mvel"
>> >
>> > >
>> >
>> > > when
>> >
>> > >
>> >
>> > > $s1 : Snort( sig_name != "(portscan)
>> > Open
>> >
>> > > Port") from entry-point "Correlator"
>> >
>> > >
>> >
>> > > $s2 : Snort( sig_name != "(portscan)
>> > Open
>> >
>> > > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
>> >
>> > > after [5m] $s1) from entry-point
>> > "Correlator"
>> >
>> > >
>> >
>> > > then
>> >
>> > >
>> >
>> > >
>> > System.out.println("******************
>> >
>> > > Snort Alert!!!!" + $s1.getData());
>> >
>> > >
>> >
>> > > retract($s1);
>> >
>> > >
>> >
>> > > end
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > Check out the docs, though:
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
>> >
>> >
>> >
>> >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > The after operator in this case would check that (5m
>> > <=
>> >
>> > > $s2.startTimestamp - $s1.endTimeStamp <=
>> > +infinity).
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > So the rule actually implements "Event 1 comes
>> > in,
>> >
>> > > then event 2 happens at leat 5 minutes later."
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > If you use the second argument of after I think it
>> > would
>> >
>> > > work:
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > $s2 : Snort( sig_name != "(portscan) Open
>> > Port" ,
>> >
>> > > id != $s1.id, ip_dst == $s1.ip_dst, this
>> >
>> > > after [0m,5m] $s1) from entry-point
>> > "Correlator"
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > According to the docs this should check that (0m
>> > <=
>> >
>> > > $s2.startTimestamp - $s1.endTimeStamp <= 5m).
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > You could alternately use "overlaps".
>> > Place an
>> >
>> > > @duration(5m) annotation on the Snort declaration and
>> > try
>> >
>> > > this condition:
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > $s2 : Snort( sig_name != "(portscan) Open
>> > Port" ,
>> >
>> > > id != $s1.id, ip_dst == $s1.ip_dst, this
>> >
>> > > overlaps $s1) from entry-point "Correlator"
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > _______________________________________________
>> >
>> > >
>> >
>> > > rules-users mailing list
>> >
>> > >
>> >
>> > > rules-users at lists.jboss.org
>> >
>> > >
>> >
>> > > https://lists.jboss.org/mailman/listinfo/rules-users
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > >
>> >
>> > > -----Inline Attachment Follows-----
>> >
>> > >
>> >
>> > > _______________________________________________
>> >
>> > > rules-users mailing list
>> >
>> > > rules-users at lists.jboss.org
>> >
>> > > https://lists.jboss.org/mailman/listinfo/rules-users
>> >
>> > >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> >
>> > rules-users mailing list
>> >
>> > rules-users at lists.jboss.org
>> >
>> > https://lists.jboss.org/mailman/listinfo/rules-users
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> >
>> > rules-users mailing list
>> >
>> > rules-users at lists.jboss.org
>> >
>> > https://lists.jboss.org/mailman/listinfo/rules-users
>> >
>> >
>> >
>> >
>> >
>> > --
>> > Regards,
>> > PriyaKathan
>> >
>> >
>> >
>> > _______________________________________________
>> >
>> > rules-users mailing list
>> >
>> > rules-users at lists.jboss.org
>> >
>> > https://lists.jboss.org/mailman/listinfo/rules-users
>> >
>> >
>> >
>> >
>> >
>> > -----Inline Attachment Follows-----
>> >
>> > _______________________________________________
>> > rules-users mailing list
>> > rules-users at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/rules-users
>> >
>>
>>
>>
>>
>> _______________________________________________
>> rules-users mailing list
>> rules-users at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20090724/0386ed78/attachment.html
More information about the rules-users
mailing list