Yes, that is the purpose ;)<br><br>I will try ;)<br><br>Thanks 4 your help<br><br><div class="gmail_quote">2009/7/22 Greg Barton <span dir="ltr"><<a href="mailto:greg_barton@yahoo.com">greg_barton@yahoo.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Ah, overlooked that second rule. Have you tried the overlap operator?<br>
<br>
So, just to clarify, the purpose of the two rules should be:<br>
<br>
SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one.<br>
<br>
SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one.<br>
<br>
Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e.<br>
<br>
"TimelessSnortRule"<br>
<div class="im"> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"<br>
</div> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst) from entry-point "Correlator"<br>
<br>
"TimelessSnortRuleRetract"<br>
<div class="im"> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"<br>
</div> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>) from entry-point "Correlator"<br>
<div class="im"><br>
<br>
--- On Wed, 7/22/09, Nestor Tarin Burriel <<a href="mailto:nestabur@gmail.com">nestabur@gmail.com</a>> wrote:<br>
<br>
</div>> From: Nestor Tarin Burriel <<a href="mailto:nestabur@gmail.com">nestabur@gmail.com</a>><br>
> Subject: Re: [rules-users] CEP Rule Help Needed<br>
> To: "Rules Users List" <<a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a>><br>
> Date: Wednesday, July 22, 2009, 1:47 PM<br>
<div><div></div><div class="h5">> Thanks Greg,<br>
><br>
> As you can see in the code I sent, I have the 2<br>
> implementations:<br>
><br>
> "SnortRule"<br>
><br>
> $s1 : Snort( sig_name !=<br>
> "(portscan) Open Port") from entry-point<br>
> "Correlator"<br>
><br>
> $s2 : Snort( sig_name != "(portscan)<br>
> Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
> after [5m] $s1) from entry-point "Correlator"<br>
><br>
><br>
> "SnortRuleRetract"<br>
> $s1 : Snort( sig_name !=<br>
> "(portscan) Open Port") from entry-point<br>
> "Correlator"<br>
> $s2 : Snort ( sig_name != "(portscan)<br>
> Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, this after [0m,5m] $s1) from<br>
> entry-point "Correlator"<br>
><br>
><br>
> and any of them are thrown<br>
><br>
> ...<br>
><br>
> 2009/7/22 Greg Barton <<a href="mailto:greg_barton@yahoo.com">greg_barton@yahoo.com</a>><br>
><br>
><br>
><br>
> Maybe this is a problem of language. Here's what you<br>
> say the rule should do:<br>
><br>
><br>
><br>
> 'After receiving a fact "MyModel" wich name<br>
> != "aaa", if arrives another<br>
><br>
> with same ip and different id after a<br>
> period between 0 and 5 minutes the<br>
><br>
> rule have to retract the last one and keep the first<br>
> fact (the older one)'<br>
><br>
><br>
><br>
> Which I would interpret as "Event 1 comes in, then<br>
> event 2 comes in between 0 and 5 minutes later." Does<br>
> that sound right?<br>
><br>
><br>
><br>
> And here's the rule that you think fits the<br>
> requirements:<br>
><br>
><br>
><br>
> rule "SnortRule"<br>
><br>
> salience 2<br>
><br>
> dialect "mvel"<br>
><br>
> when<br>
><br>
> $s1 : Snort( sig_name != "(portscan) Open<br>
> Port") from entry-point "Correlator"<br>
><br>
> $s2 : Snort( sig_name != "(portscan) Open<br>
> Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
> after [5m] $s1) from entry-point "Correlator"<br>
><br>
> then<br>
><br>
> System.out.println("******************<br>
> Snort Alert!!!!" + $s1.getData());<br>
><br>
> retract($s1);<br>
><br>
> end<br>
><br>
><br>
><br>
> Check out the docs, though:<br>
><br>
><br>
><br>
> <a href="https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622" target="_blank">https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622</a><br>
><br>
><br>
><br>
><br>
> The after operator in this case would check that (5m <=<br>
> $s2.startTimestamp - $s1.endTimeStamp <= +infinity).<br>
><br>
><br>
><br>
> So the rule actually implements "Event 1 comes in,<br>
> then event 2 happens at leat 5 minutes later."<br>
><br>
><br>
><br>
> If you use the second argument of after I think it would<br>
> work:<br>
><br>
><br>
><br>
> $s2 : Snort( sig_name != "(portscan) Open Port" ,<br>
> id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
> after [0m,5m] $s1) from entry-point "Correlator"<br>
><br>
><br>
><br>
> According to the docs this should check that (0m <=<br>
> $s2.startTimestamp - $s1.endTimeStamp <= 5m).<br>
><br>
><br>
><br>
> You could alternately use "overlaps". Place an<br>
> @duration(5m) annotation on the Snort declaration and try<br>
> this condition:<br>
><br>
><br>
><br>
> $s2 : Snort( sig_name != "(portscan) Open Port" ,<br>
> id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
> overlaps $s1) from entry-point "Correlator"<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
><br>
> rules-users mailing list<br>
><br>
> <a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a><br>
><br>
> <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
><br>
><br>
><br>
</div></div>> -----Inline Attachment Follows-----<br>
<div><div></div><div class="h5">><br>
> _______________________________________________<br>
> rules-users mailing list<br>
> <a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
</div></div></blockquote></div><br>