
Yes, that is the purpose ;)<br><br>I will try ;)<br><br>Thanks 4 your help<br><br><div class="gmail_quote">2009/7/22 Greg Barton <span dir="ltr">&lt;<a href="mailto:greg_barton@yahoo.com">greg_barton@yahoo.com</a>&gt;</span><br>

<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>

Ah, overlooked that second rule.  Have you tried the overlap operator?<br>

<br>

So, just to clarify, the purpose of the two rules should be:<br>

<br>

SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one.<br>

<br>

SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one.<br>

<br>

Have you tried removing the temporal operators completely, just for testing purposes?  What happens?  i.e.<br>

<br>

&quot;TimelessSnortRule&quot;<br>

<div class="im">        $s1 : Snort( sig_name != &quot;(portscan) Open Port&quot;) from entry-point &quot;Correlator&quot;<br>

</div>        $s2 : Snort( sig_name != &quot;(portscan) Open Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst) from entry-point &quot;Correlator&quot;<br>

<br>

&quot;TimelessSnortRuleRetract&quot;<br>

<div class="im">        $s1 : Snort( sig_name != &quot;(portscan) Open Port&quot;) from entry-point &quot;Correlator&quot;<br>

</div>        $s2 : Snort ( sig_name != &quot;(portscan) Open Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>) from entry-point &quot;Correlator&quot;<br>

<div class="im"><br>

<br>

--- On Wed, 7/22/09, Nestor Tarin Burriel &lt;<a href="mailto:nestabur@gmail.com">nestabur@gmail.com</a>&gt; wrote:<br>

<br>

</div>&gt; From: Nestor Tarin Burriel &lt;<a href="mailto:nestabur@gmail.com">nestabur@gmail.com</a>&gt;<br>

&gt; Subject: Re: [rules-users] CEP Rule Help Needed<br>

&gt; To: &quot;Rules Users List&quot; &lt;<a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a>&gt;<br>

&gt; Date: Wednesday, July 22, 2009, 1:47 PM<br>

<div><div></div><div class="h5">&gt; Thanks Greg,<br>

&gt;<br>

&gt; As you can see in the code I sent, I have the 2<br>

&gt; implementations:<br>

&gt;<br>

&gt; &quot;SnortRule&quot;<br>

&gt;<br>

&gt;         $s1 : Snort( sig_name !=<br>

&gt; &quot;(portscan) Open Port&quot;) from entry-point<br>

&gt; &quot;Correlator&quot;<br>

&gt;<br>

&gt;         $s2 : Snort( sig_name != &quot;(portscan)<br>

&gt; Open Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>

&gt; after [5m] $s1) from entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;<br>

&gt; &quot;SnortRuleRetract&quot;<br>

&gt;         $s1 : Snort( sig_name !=<br>

&gt; &quot;(portscan) Open Port&quot;) from entry-point<br>

&gt; &quot;Correlator&quot;<br>

&gt;         $s2 : Snort ( sig_name != &quot;(portscan)<br>

&gt; Open Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>, this after [0m,5m] $s1) from<br>

&gt; entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;<br>

&gt; and any of them are thrown<br>

&gt;<br>

&gt; ...<br>

&gt;<br>

&gt; 2009/7/22 Greg Barton &lt;<a href="mailto:greg_barton@yahoo.com">greg_barton@yahoo.com</a>&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; Maybe this is a problem of language.  Here&#39;s what you<br>

&gt; say the rule should do:<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; &#39;After receiving a fact &quot;MyModel&quot; wich name<br>

&gt; != &quot;aaa&quot;, if arrives another<br>

&gt;<br>

&gt; with same ip and different id after a<br>

&gt; period between 0 and 5 minutes the<br>

&gt;<br>

&gt; rule have to retract the last one and keep the first<br>

&gt; fact (the older one)&#39;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; Which I would interpret as &quot;Event 1 comes in, then<br>

&gt; event 2 comes in between 0 and 5 minutes later.&quot;  Does<br>

&gt; that sound right?<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; And here&#39;s the rule that you think fits the<br>

&gt; requirements:<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; rule &quot;SnortRule&quot;<br>

&gt;<br>

&gt;     salience 2<br>

&gt;<br>

&gt;     dialect &quot;mvel&quot;<br>

&gt;<br>

&gt;     when<br>

&gt;<br>

&gt;         $s1 : Snort( sig_name != &quot;(portscan) Open<br>

&gt; Port&quot;) from entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;         $s2 : Snort( sig_name != &quot;(portscan) Open<br>

&gt; Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>

&gt; after [5m] $s1) from entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;     then<br>

&gt;<br>

&gt;         System.out.println(&quot;******************<br>

&gt; Snort Alert!!!!&quot; + $s1.getData());<br>

&gt;<br>

&gt;         retract($s1);<br>

&gt;<br>

&gt; end<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; Check out the docs, though:<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; <a href="https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622" target="_blank">https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622</a><br>


&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; The after operator in this case would check that (5m &lt;=<br>

&gt; $s2.startTimestamp - $s1.endTimeStamp &lt;= +infinity).<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; So the rule actually implements &quot;Event 1 comes in,<br>

&gt; then event 2 happens at leat 5 minutes later.&quot;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; If you use the second argument of after I think it would<br>

&gt; work:<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; $s2 : Snort( sig_name != &quot;(portscan) Open Port&quot; ,<br>

&gt; id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>

&gt; after [0m,5m] $s1) from entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; According to the docs this should check that (0m &lt;=<br>

&gt; $s2.startTimestamp - $s1.endTimeStamp &lt;= 5m).<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; You could alternately use &quot;overlaps&quot;.  Place an<br>

&gt; @duration(5m) annotation on the Snort declaration and try<br>

&gt; this condition:<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; $s2 : Snort( sig_name != &quot;(portscan) Open Port&quot; ,<br>

&gt; id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>

&gt; overlaps $s1) from entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; _______________________________________________<br>

&gt;<br>

&gt; rules-users mailing list<br>

&gt;<br>

&gt; <a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a><br>

&gt;<br>

&gt; <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

</div></div>&gt; -----Inline Attachment Follows-----<br>

<div><div></div><div class="h5">&gt;<br>

&gt; _______________________________________________<br>

&gt; rules-users mailing list<br>

&gt; <a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a><br>

&gt; <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

&gt;<br>

<br>

<br>

<br>

<br>

_______________________________________________<br>

rules-users mailing list<br>

<a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a><br>

<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

</div></div></blockquote></div><br>