[rules-users] Implementation of my use case - what am I doing wrong?
Elran Dvir
elrand at checkpoint.com
Sun Sep 29 04:00:41 EDT 2013
Hi,
Thanks for the response.
I am not sure I fully understand your answer.
After all the rewriting of the rules, I decided to try "(this meets $ce || this during $ce || this metby $ce)" again.
Now the rule is fired, but an exception is thrown (not all times the rule is fired, just once between the third and fourth event):
Exception in thread "Thread-1" java.lang.RuntimeException: java.lang.NoSuchMethodException: com.checkpoint.correlation.impl.drools.Log.meets0()
at org.drools.rule.constraint.ConditionAnalyzer.analyzeNode(ConditionAnalyzer.java:239)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeSingleCondition(ConditionAnalyzer.java:133)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:99)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:140)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:140)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:141)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:141)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:141)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:70)
at org.drools.rule.constraint.MvelConditionEvaluator.getAnalyzedCondition(MvelConditionEvaluator.java:83)
at org.drools.rule.constraint.MvelConstraint.executeJitting(MvelConstraint.java:270)
at org.drools.rule.constraint.MvelConstraint.access$200(MvelConstraint.java:51)
at org.drools.rule.constraint.MvelConstraint$ConditionJitter.run(MvelConstraint.java:250)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.lang.NoSuchMethodException: com.checkpoint.correlation.impl.drools.Log.meets0()
at java.lang.Class.getMethod(Class.java:1622)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeNode(ConditionAnalyzer.java:230)
... 20 more
The complete latest drl file is followed.
Duration for Log is 0, duration for CorrelatedEvent is 10s.
Did you have a chance to look at my (original) fourth question? This is the issue that bothers me the most.
If necessary, I'll write everything again.
Thanks a lot.
This is my drl file:
----------------------------------------------------------------------------------------------------
package test;
import correlation.impl.drools.Log
import correlation.impl.drools.CorrelatedEvent
global correlation.server.EventsHandler externalEventsHandler;
declare Log
@role( event)
end
declare CorrelatedEvent
//@propertyReactive
@role( event)
@timestamp( getTimestamp())
@expires( 10s )
@duration( getDuration() )
end
// this rule will create a "Port Scan" event if none exist for this group-by values rule "Create Port Scan Event"
dialect "java" //dialect can be either mvel or java for the RHS (only java dialect support generic containers)
no-loop //this means - do not revaluate rules if the events were altered in memory
when
$log : Log()
accumulate( Log( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $port : fieldsMap.get("port"));
$portSet : collectSet($port);
$portSet.size > 2 )
accumulate( Log( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst") , $portSet.contains(fieldsMap.get("port")) , $marker : fieldsMap.get("marker"));
$markerSet : collectSet($marker))
not CorrelatedEvent(getName() == "portScan" , fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"))
then
CorrelatedEvent $ce = new CorrelatedEvent();
$ce.setName("portScan");
$ce.setEventsHandler(externalEventsHandler);
$ce.setDurationInSec(10);
$ce.fieldsMap.put("src", $log.fieldsMap.get("src"));
$ce.fieldsMap.put("dst", $log.fieldsMap.get("dst"));
$ce.endUpdate($markerSet, $portSet);
insert($ce);
end
rule "Create Port Scan Event - update"
dialect "java" //dialect can be either mvel or java for the RHS (only java dialect support generic containers)
no-loop
when
$ce: CorrelatedEvent(getName() == "portScan", $portSet: getUniqueSet())
$log: Log(fieldsMap.get("src") == $ce.fieldsMap.get("src") , fieldsMap.get("dst") == $ce.fieldsMap.get("dst") , !$portSet.contains(fieldsMap.get("port")), (this meets $ce || this during $ce || this metby $ce))
then
modify( $ce ) {endUpdate($log.fieldsMap.get("marker").toString(), $log.fieldsMap.get("port"))}
end
------------------------------------------------------------------------------------------------------------------------------------
-----Original Message-----
From: rules-users-bounces at lists.jboss.org [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Wolfgang Laun
Sent: Sunday, September 22, 2013 7:06 PM
To: Rules Users List
Subject: Re: [rules-users] Implementation of my use case - what am I doing wrong?
On 22/09/2013, Elran Dvir <elrand at checkpoint.com> wrote:
> Thanks for the response.
>
>>Computationally, during the evaluation of the temporal operators.
>>Why would you want to do this? (My advice to replace the temporal
>>operators by the equivalent expressions was meant as a debugging aid,
>>to show you where the problem with this constraint is.)
> So if changing the condition to use startTimeStamp and endTimestamp
> caused a compilation error, How can I debug my problem? What is the
> equivalent of "(this meets $ce || this during $ce || this metby $ce)"
> without my own startTimeStamp and endTimestamp fields?
>
So I'm quoting my reply from an earlier mail <quote>
> Elran Dvir <elrand at checkpoint.com> wrote:
>
> 2) When I tested it with matching data, rule "Create Port Scan Event -
> update" was never fired. When I replaced "(this meets $ce || this
> during $ce
> || this metby $ce)" with "this after $ce.getStartTime() , this before
> $ce.getEndTime()" everything worked fine.
> Why?
Just take the constraints and replace the temporal operator by its definition in the "Fusion" manual and use a little elementary math:
A meets || A during B || A metby B
becomes
abs( B.startTimestamp - A.endTimestamp ) == 0 ||
B.startTimestamp < A.startTimestamp && A.endTimestamp < B.endTimestamp || abs( A.startTimestamp - B.endTimestamp ) == 0 becomes
...
</quote>
Did you overlook the "use a little elementary math"? YOu'll have to provide the values for start and, given the duration (zero,
presumably) the end time. If B has a duration of 0, there's no way the second term can ever be true. And if A has a duration of 0 too, A and B must have the same timestamp in order for the other terms to be true.
Note that "debugging" was meant to be done offline ;-)
> > - Why do you use this complex declare?
> > @timestamp( timestamp ) @duration( duration )
> > is sufficient.
>
> I want to protect the fields from being set outside their designated
> functions .I simplified it a bit in my correction.
I don't know of any danger of your field being set outside their designated functions by simply writing the field name between the parentheses.
-W
_______________________________________________
rules-users mailing list
rules-users at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Email secured by Check Point
More information about the rules-users
mailing list