[rules-users] Implementation of my use case - what am I doing wrong?
Elran Dvir
elrand at checkpoint.com
Tue Sep 17 04:59:13 EDT 2013
Thanks for the quick response.
I have some more questions:
1. As I understand it, the timestamp attribute should be long type representing the milliseconds since January 1, 1970, 00:00:00 GMT. Am I right?
2. As I understand it, the duration attribute should be in milliseconds. I fixed it accordingly. Am I right?
3. When I replaced "(this meets $ce || this during $ce || this metby $ce)" with "$ce.startTimestamp <= startTimestamp , endTimestamp <= $ce.endTimestamp"
I got the following drools compile exceptions:
Unable to Analyse Expression $ce.startTimestamp:
[Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()]
[Near : {... $ce.startTimestamp ....}]
^
[Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update']
Unable to Analyse Expression $ce.startTimestamp <= startTimestamp:
[Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()]
[Near : {... $ce.startTimestamp <= startTimesta ....}]
^
[Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update']
Unable to Analyse Expression endTimestamp <= $ce.endTimestamp:
[Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CpLog.endTimestamp()]
[Near : {... endTimestamp <= $ce.endTimesta ....}]
^
[Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update']
Unable to Analyse Expression $ce.startTimestamp:
[Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()]
[Near : {... $ce.startTimestamp ....}]
Why?
4. I tested my working implementation of temporal relation in rule "Create Port Scan Event - update" ("this after $ce.getStartTime() , this before $ce.getEndTime()") .
I inserted a connection log and fired the rules every second. I have 25 logs with the same "src" and "dst", but each has different (serial) "port" and "marker".
I print the rule fired and the port set of logs triggering it.
I got this behavior: for the second and third "rounds" (after 10 seconds and 20 seconds), the first rule process logs already processed by the second rule.
Output example:
rule fired: Create Port Scan Event - update
portSet: [10, 7, 6, 5, 4, 9, 8, 11, 12]
rule fired: Create Port Scan Event
portSet: [13, 11, 12]
I understand this behavior, so I changed the order of conditions in the LHS of the first rule ("not CorrelatedEvent..." to be the second):
$log : CpLog() //get all the logs in the last 5 seconds
not CorrelatedEvent(getName() == "portScan" , fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"))
accumulate( CpLog( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $port : fieldsMap.get("port"));
$portSet : collectSet($port);
$portSet.size > 2 )
accumulate( CpLog( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $marker : fieldsMap.get("marker"));
$markerSet : collectSet($marker))
But then I get the following output for the first 4 logs:
rule fired: Create Port Scan Event
portSet: []
rule fired: Create Port Scan Event - update
portSet: [13, 11, 12]
Why is that? Where the first 3 events disappeared? How "portSet" is empty with the condition $portSet.size > 2?
Thanks a lot.
-----Original Message-----
From: rules-users-bounces at lists.jboss.org [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Wolfgang Laun
Sent: Sunday, September 15, 2013 8:08 PM
To: Rules Users List
Subject: Re: [rules-users] Implementation of my use case - what am I doing wrong?
On 15/09/2013, Elran Dvir <elrand at checkpoint.com> wrote:
> my questions:
>
> 1) If I have only one stream of data , can I omit the use of entry
> point and insert logs to the session ? Or the use of entry points is
> mandatory in Drools Fusion?
Yes. No. An entry point is just an additional attribute added "on the fly", where you don't have a source identification in the pojo.
>
> 2) When I tested it with matching data, rule "Create Port Scan Event -
> update" was never fired. When I replaced "(this meets $ce || this
> during $ce
> || this metby $ce)" with "this after $ce.getStartTime() , this before
> $ce.getEndTime()" everything worked fine.
> Why?
Just take the constraints and replace the temporal operator by its definition in the "Fusion" manual and use a little elementary math:
A meets || A during B || A metby B
becomes
abs( B.startTimestamp - A.endTimestamp ) == 0 ||
B.startTimestamp < A.startTimestamp && A.endTimestamp < B.endTimestamp || abs( A.startTimestamp - B.endTimestamp ) == 0 becomes
...
>
> 3) I tried to use sliding windows in rule "Create Port Scan Event" and
> an exception was thrown at runtime. I decided to use "this
> after[0s,5s] $log" instead. Is it correct?
A sliding window is not the same as the temporal relation of two events. If the rule does what it ought to, I'd say, yes, it is correct.
>
> 4) Is my basic Implementation correct?
A bit much to ask, don't you think?
-W
_______________________________________________
rules-users mailing list
rules-users at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Email secured by Check Point
More information about the rules-users
mailing list