[rules-users] Implementation of my use case - what am I doing wrong?

Wolfgang Laun wolfgang.laun at gmail.com
Tue Sep 17 07:08:04 EDT 2013 

On 17/09/2013, Elran Dvir <elrand at checkpoint.com> wrote:
> Thanks for the quick response.
>
> I have some more questions:
>
> 	1. As I understand it, the timestamp attribute should be long type
> representing the milliseconds since January 1, 1970, 00:00:00 GMT. Am I
> right?

Not necessarily. The interpretation of this long value is up to you -
it could mean days since the foundation of Rome (753 BC).

> 	2. As I understand it, the duration attribute  should be in milliseconds. I
> fixed it accordingly. Am I right?

Use the same unit as the timestamp.

> 	3. When I replaced "(this meets $ce || this during $ce || this metby $ce)"
> with "$ce.startTimestamp <= startTimestamp , endTimestamp <=
> $ce.endTimestamp"
> 	    I got the following drools compile exceptions:
>
> 		Unable to Analyse Expression $ce.startTimestamp:
> 		[Error: unable to resolve method using strict-mode:
> com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()]
> 		[Near : {... $ce.startTimestamp ....}]
>                  	^
> 		[Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update']
>
> 		Unable to Analyse Expression $ce.startTimestamp <= startTimestamp:
> 		[Error: unable to resolve method using strict-mode:
> com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()]
> 		[Near : {... $ce.startTimestamp <= startTimesta ....}]
>                  	^
> 		[Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update']
>
> 		Unable to Analyse Expression endTimestamp <= $ce.endTimestamp:
> 		[Error: unable to resolve method using strict-mode:
> com.checkpoint.correlation.impl.drools.CpLog.endTimestamp()]
> 		[Near : {... endTimestamp <= $ce.endTimesta ....}]
>              		^
> 		[Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update']
>
> 		Unable to Analyse Expression $ce.startTimestamp:
> 		[Error: unable to resolve method using strict-mode:
> com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()]
> 		[Near : {... $ce.startTimestamp ....}]
>
> 	   Why?

Do you have fields startTimestamp and endTimestamp?

> 	4. I tested  my working implementation of temporal relation in rule "Create
> Port Scan Event - update" ("this after $ce.getStartTime() , this before
> $ce.getEndTime()") .
[snip]

>
> 	   Why is that? Where the first 3 events disappeared? How "portSet" is
> empty with the condition  $portSet.size > 2?

Sorry, you've lost me here. I can't see what's going on from this
unorganized set of snippets - and please don't suppose that people
keep old mails or have the time to dig in the archives.

-W

>
> Thanks a lot.
>
> -----Original Message-----
> From: rules-users-bounces at lists.jboss.org
> [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Wolfgang Laun
> Sent: Sunday, September 15, 2013 8:08 PM
> To: Rules Users List
> Subject: Re: [rules-users] Implementation of my use case - what am I doing
> wrong?
>
> On 15/09/2013, Elran Dvir <elrand at checkpoint.com> wrote:
>
>> my questions:
>>
>> 1)      If I have only one stream of data , can I omit the use of entry
>> point and insert logs to the session ? Or the use of entry points is
>> mandatory in Drools Fusion?
>
> Yes. No. An entry point is just an additional attribute added "on the fly",
> where you don't have a source identification in the pojo.
>
>>
>> 2)       When I tested it with matching data, rule "Create Port Scan Event
>> -
>> update" was never fired. When I replaced "(this meets $ce || this
>> during $ce
>> || this metby $ce)" with "this after $ce.getStartTime() , this before
>> $ce.getEndTime()" everything worked fine.
>> Why?
>
> Just take the constraints and replace the temporal operator by its
> definition in the "Fusion" manual and use a little elementary math:
>
>     A meets  || A during B || A metby B
> becomes
>    abs( B.startTimestamp - A.endTimestamp ) == 0 ||
>    B.startTimestamp < A.startTimestamp && A.endTimestamp < B.endTimestamp ||
> abs( A.startTimestamp - B.endTimestamp ) == 0 becomes
>   ...
>
>
>>
>> 3)      I tried to use sliding windows in  rule "Create Port Scan Event"
>> and
>> an exception was thrown at runtime. I decided to use "this
>> after[0s,5s] $log" instead. Is it correct?
>
> A sliding window is not the same as the temporal relation of two events. If
> the rule does what it ought to, I'd say, yes, it is correct.
>
>>
>> 4)      Is my basic Implementation correct?
>
> A bit much to ask, don't you think?
>
> -W
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
> Email secured by Check Point
>
> _______________________________________________
> rules-users mailing list
> rules-users at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>

More information about the rules-users mailing list