Finally I've solved my problem. It was in the engine:<br><br>Looking the doc, for inserting a new fact into a stream of the working memory says:<br><br> ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();<br>
<br>Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact); so I solved it doing:<br>
<br>myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);<br><br>for (Fact a : Facts)<br> myWorkingMemoryEP.insert(a);<br><br>I dont know if this is the correct use of EntryPoints bu it works!<br><br>
Thanks to everybody especially Greg and Priya :)<br><br><div class="gmail_quote">2009/7/23 PriyaKathan <span dir="ltr"><<a href="mailto:nash.8103@gmail.com">nash.8103@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi<br><br><div>Find attached working example for CEP rule with the scenario you stated.</div><div>Here I used Psuedo clock.</div><div>Hope this would help you to understand better.</div><div><br></div><div>Regards,</div>
<div>
Priya</div><div><br></div><div><div><div></div><div class="h5"><br><div class="gmail_quote">2009/7/23 Nestor Tarin Burriel <span dir="ltr"><<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi again Greg,<br><br>I've tried your suggestion and it seems like the facts that is the rule checking are the same.<br><br>This is my last try:<br><br>rule "SnortRuleRetract"<div><br> dialect "mvel"<br>
when<br> $s1 : Snort( sig_name != "(portscan) Open Port")<br></div> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>)<br> then<br>
retract($s2);<br>
System.out.println(" ********* Deleting from WM");<br>end<br><br>And is never fired ...<br><br>There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ...<br>
<br>NEStor<br><br><div class="gmail_quote">2009/7/23 Nestor Tarin Burriel <span dir="ltr"><<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>></span><div><div></div><div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Yes, that is the purpose ;)<br><br>I will try ;)<br><br>Thanks 4 your help<div><div></div><div><br><br><div class="gmail_quote">2009/7/22 Greg Barton <span dir="ltr"><<a href="mailto:greg_barton@yahoo.com" target="_blank">greg_barton@yahoo.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Ah, overlooked that second rule. Have you tried the overlap operator?<br>
<br>
So, just to clarify, the purpose of the two rules should be:<br>
<br>
SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one.<br>
<br>
SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one.<br>
<br>
Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e.<br>
<br>
"TimelessSnortRule"<br>
<div> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"<br>
</div> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst) from entry-point "Correlator"<br>
<br>
"TimelessSnortRuleRetract"<br>
<div> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"<br>
</div> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>) from entry-point "Correlator"<br>
<div><br>
<br>
--- On Wed, 7/22/09, Nestor Tarin Burriel <<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>> wrote:<br>
<br>
</div>> From: Nestor Tarin Burriel <<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>><br>
> Subject: Re: [rules-users] CEP Rule Help Needed<br>
> To: "Rules Users List" <<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a>><br>
> Date: Wednesday, July 22, 2009, 1:47 PM<br>
<div><div></div><div>> Thanks Greg,<br>
><br>
> As you can see in the code I sent, I have the 2<br>
> implementations:<br>
><br>
> "SnortRule"<br>
><br>
> $s1 : Snort( sig_name !=<br>
> "(portscan) Open Port") from entry-point<br>
> "Correlator"<br>
><br>
> $s2 : Snort( sig_name != "(portscan)<br>
> Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
> after [5m] $s1) from entry-point "Correlator"<br>
><br>
><br>
> "SnortRuleRetract"<br>
> $s1 : Snort( sig_name !=<br>
> "(portscan) Open Port") from entry-point<br>
> "Correlator"<br>
> $s2 : Snort ( sig_name != "(portscan)<br>
> Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, this after [0m,5m] $s1) from<br>
> entry-point "Correlator"<br>
><br>
><br>
> and any of them are thrown<br>
><br>
> ...<br>
><br>
> 2009/7/22 Greg Barton <<a href="mailto:greg_barton@yahoo.com" target="_blank">greg_barton@yahoo.com</a>><br>
><br>
><br>
><br>
> Maybe this is a problem of language. Here's what you<br>
> say the rule should do:<br>
><br>
><br>
><br>
> 'After receiving a fact "MyModel" wich name<br>
> != "aaa", if arrives another<br>
><br>
> with same ip and different id after a<br>
> period between 0 and 5 minutes the<br>
><br>
> rule have to retract the last one and keep the first<br>
> fact (the older one)'<br>
><br>
><br>
><br>
> Which I would interpret as "Event 1 comes in, then<br>
> event 2 comes in between 0 and 5 minutes later." Does<br>
> that sound right?<br>
><br>
><br>
><br>
> And here's the rule that you think fits the<br>
> requirements:<br>
><br>
><br>
><br>
> rule "SnortRule"<br>
><br>
> salience 2<br>
><br>
> dialect "mvel"<br>
><br>
> when<br>
><br>
> $s1 : Snort( sig_name != "(portscan) Open<br>
> Port") from entry-point "Correlator"<br>
><br>
> $s2 : Snort( sig_name != "(portscan) Open<br>
> Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
> after [5m] $s1) from entry-point "Correlator"<br>
><br>
> then<br>
><br>
> System.out.println("******************<br>
> Snort Alert!!!!" + $s1.getData());<br>
><br>
> retract($s1);<br>
><br>
> end<br>
><br>
><br>
><br>
> Check out the docs, though:<br>
><br>
><br>
><br>
> <a href="https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622" target="_blank">https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622</a><br>
><br>
><br>
><br>
><br>
> The after operator in this case would check that (5m <=<br>
> $s2.startTimestamp - $s1.endTimeStamp <= +infinity).<br>
><br>
><br>
><br>
> So the rule actually implements "Event 1 comes in,<br>
> then event 2 happens at leat 5 minutes later."<br>
><br>
><br>
><br>
> If you use the second argument of after I think it would<br>
> work:<br>
><br>
><br>
><br>
> $s2 : Snort( sig_name != "(portscan) Open Port" ,<br>
> id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
> after [0m,5m] $s1) from entry-point "Correlator"<br>
><br>
><br>
><br>
> According to the docs this should check that (0m <=<br>
> $s2.startTimestamp - $s1.endTimeStamp <= 5m).<br>
><br>
><br>
><br>
> You could alternately use "overlaps". Place an<br>
> @duration(5m) annotation on the Snort declaration and try<br>
> this condition:<br>
><br>
><br>
><br>
> $s2 : Snort( sig_name != "(portscan) Open Port" ,<br>
> id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
> overlaps $s1) from entry-point "Correlator"<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
><br>
> rules-users mailing list<br>
><br>
> <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
><br>
> <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
><br>
><br>
><br>
</div></div>> -----Inline Attachment Follows-----<br>
<div><div></div><div>><br>
> _______________________________________________<br>
> rules-users mailing list<br>
> <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
</div></div></blockquote></div><br>
</div></div></blockquote></div></div></div><br>
<br>_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br></div></div>Regards,<br>PriyaKathan<br>
</div>
<br>_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
<br></blockquote></div><br>