Hi all again,<br><br>At the end I have my rules firing as expected :)<br><br>I had to add the expires() attribute at the model, otherwise my facts were immediatly retracted by the engine.<br><br>Thanks to all ;)<br><br>NEStor<br>
<br><div class="gmail_quote">2009/7/23 Nestor Tarin Burriel <span dir="ltr"><<a href="mailto:nestabur@gmail.com">nestabur@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
In my case yes...<br><br><div class="gmail_quote">2009/7/23 Greg Barton <span dir="ltr"><<a href="mailto:greg_barton@yahoo.com" target="_blank">greg_barton@yahoo.com</a>></span><div><div></div><div class="h5"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
So do you mean this didn't work:<br>
<div><br>
myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);<br>
<br>
for (Fact a : Facts)<br>
</div> ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a);<br>
<br>
...but this did?<br>
<div><br>
myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);<br>
<br>
for (Fact a : Facts)<br>
myWorkingMemoryEP.insert(a);<br>
<br>
<br>
</div><div>--- On Thu, 7/23/09, Nestor Tarin Burriel <<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>> wrote:<br>
<br>
> From: Nestor Tarin Burriel <<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>><br>
> Subject: Re: [rules-users] CEP Rule Help Needed<br>
> To: "Rules Users List" <<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a>><br>
</div>> Date: Thursday, July 23, 2009, 9:47 AM<br>
<div>> Finally I've solved my problem. It<br>
> was in the engine:<br>
><br>
> Looking the doc, for inserting a new fact into a stream of<br>
> the working memory says:<br>
><br>
> ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();<br>
><br>
><br>
> Which is perfect but not for my enviroment ;), I was<br>
> inserting the events in differents WM cause in each one I<br>
> did <br>
> ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact);<br>
> so I solved it doing:<br>
><br>
><br>
> myWorkingMemoryEP =<br>
> ksession.getWorkingMemoryEntryPoint(correlatorName);<br>
><br>
> for (Fact a : Facts)<br>
> myWorkingMemoryEP.insert(a);<br>
><br>
> I dont know if this is the correct use of EntryPoints bu it<br>
> works!<br>
><br>
><br>
> Thanks to everybody especially Greg and Priya :)<br>
><br>
</div><div>> 2009/7/23 PriyaKathan <<a href="mailto:nash.8103@gmail.com" target="_blank">nash.8103@gmail.com</a>><br>
><br>
</div><div><div></div><div>> Hi<br>
><br>
> Find attached working example for CEP rule with the<br>
> scenario you stated.Here I used Psuedo<br>
> clock.Hope this would help you to understand<br>
> better.<br>
> Regards,<br>
><br>
> Priya<br>
><br>
> 2009/7/23 Nestor Tarin Burriel<br>
> <<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>><br>
><br>
><br>
> Hi again Greg,<br>
><br>
> I've tried your suggestion and it seems like the facts<br>
> that is the rule checking are the same.<br>
><br>
> This is my last try:<br>
><br>
> rule "SnortRuleRetract"<br>
> dialect "mvel"<br>
><br>
><br>
><br>
> when<br>
> $s1 : Snort( sig_name != "(portscan)<br>
> Open Port")<br>
> $s2 : Snort ( sig_name !=<br>
> "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>)<br>
> then<br>
><br>
><br>
> retract($s2);<br>
><br>
> System.out.println(" ********* Deleting<br>
> from WM");<br>
> end<br>
><br>
> And is never fired ...<br>
><br>
> There are no more rules in the package, this is the only<br>
> one ... so I don't understand anything ... could be the<br>
> error in the engine? I dont retract any fact ... as you can<br>
> see in my code ...<br>
><br>
><br>
><br>
><br>
> NEStor<br>
><br>
> 2009/7/23 Nestor Tarin Burriel<br>
> <<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>><br>
><br>
><br>
><br>
> Yes, that is the purpose ;)<br>
><br>
> I will try ;)<br>
><br>
> Thanks 4 your help<br>
><br>
> 2009/7/22 Greg Barton <<a href="mailto:greg_barton@yahoo.com" target="_blank">greg_barton@yahoo.com</a>><br>
><br>
><br>
><br>
><br>
><br>
><br>
> Ah, overlooked that second rule. Have you tried the<br>
> overlap operator?<br>
><br>
><br>
><br>
> So, just to clarify, the purpose of the two rules should<br>
> be:<br>
><br>
><br>
><br>
> SnortRule: If two Snort events that are not port scans of<br>
> an open port on the same destination arrive more than 5<br>
> minutes apart, delete the earlier one.<br>
><br>
><br>
><br>
> SnortRuleRetract: If two Snort events that are not port<br>
> scans of an open port on any two destinations arrive within<br>
> 5 minutes of each other, delete the earlier one.<br>
><br>
><br>
><br>
> Have you tried removing the temporal operators completely,<br>
> just for testing purposes? What happens? i.e.<br>
><br>
><br>
><br>
> "TimelessSnortRule"<br>
><br>
> $s1 : Snort( sig_name != "(portscan)<br>
> Open Port") from entry-point "Correlator"<br>
><br>
> $s2 : Snort( sig_name != "(portscan)<br>
> Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst) from<br>
> entry-point "Correlator"<br>
><br>
><br>
><br>
> "TimelessSnortRuleRetract"<br>
><br>
> $s1 : Snort( sig_name != "(portscan)<br>
> Open Port") from entry-point "Correlator"<br>
><br>
> $s2 : Snort ( sig_name !=<br>
> "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>) from<br>
> entry-point "Correlator"<br>
><br>
><br>
><br>
><br>
><br>
> --- On Wed, 7/22/09, Nestor Tarin Burriel <<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>><br>
> wrote:<br>
><br>
><br>
><br>
> > From: Nestor Tarin Burriel <<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>><br>
><br>
> > Subject: Re: [rules-users] CEP Rule Help Needed<br>
><br>
> > To: "Rules Users List" <<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a>><br>
><br>
> > Date: Wednesday, July 22, 2009, 1:47 PM<br>
><br>
> > Thanks Greg,<br>
><br>
> ><br>
><br>
> > As you can see in the code I sent, I have the 2<br>
><br>
> > implementations:<br>
><br>
> ><br>
><br>
> > "SnortRule"<br>
><br>
> ><br>
><br>
> > $s1 : Snort( sig_name !=<br>
><br>
> > "(portscan) Open Port") from entry-point<br>
><br>
> > "Correlator"<br>
><br>
> ><br>
><br>
> > $s2 : Snort( sig_name !=<br>
> "(portscan)<br>
><br>
> > Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst ==<br>
> $s1.ip_dst, this<br>
><br>
> > after [5m] $s1) from entry-point<br>
> "Correlator"<br>
><br>
> ><br>
><br>
> ><br>
><br>
> > "SnortRuleRetract"<br>
><br>
> > $s1 : Snort( sig_name !=<br>
><br>
> > "(portscan) Open Port") from entry-point<br>
><br>
> > "Correlator"<br>
><br>
> > $s2 : Snort ( sig_name !=<br>
> "(portscan)<br>
><br>
> > Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, this after<br>
> [0m,5m] $s1) from<br>
><br>
> > entry-point "Correlator"<br>
><br>
> ><br>
><br>
> ><br>
><br>
> > and any of them are thrown<br>
><br>
> ><br>
><br>
> > ...<br>
><br>
> ><br>
><br>
> > 2009/7/22 Greg Barton <<a href="mailto:greg_barton@yahoo.com" target="_blank">greg_barton@yahoo.com</a>><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > Maybe this is a problem of language. Here's what<br>
> you<br>
><br>
> > say the rule should do:<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > 'After receiving a fact "MyModel" wich<br>
> name<br>
><br>
> > != "aaa", if arrives another<br>
><br>
> ><br>
><br>
> > with same ip and different id after a<br>
><br>
> > period between 0 and 5 minutes the<br>
><br>
> ><br>
><br>
> > rule have to retract the last one and keep the first<br>
><br>
> > fact (the older one)'<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > Which I would interpret as "Event 1 comes in,<br>
> then<br>
><br>
> > event 2 comes in between 0 and 5 minutes later."<br>
> Does<br>
><br>
> > that sound right?<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > And here's the rule that you think fits the<br>
><br>
> > requirements:<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > rule "SnortRule"<br>
><br>
> ><br>
><br>
> > salience 2<br>
><br>
> ><br>
><br>
> > dialect "mvel"<br>
><br>
> ><br>
><br>
> > when<br>
><br>
> ><br>
><br>
> > $s1 : Snort( sig_name != "(portscan)<br>
> Open<br>
><br>
> > Port") from entry-point "Correlator"<br>
><br>
> ><br>
><br>
> > $s2 : Snort( sig_name != "(portscan)<br>
> Open<br>
><br>
> > Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
><br>
> > after [5m] $s1) from entry-point<br>
> "Correlator"<br>
><br>
> ><br>
><br>
> > then<br>
><br>
> ><br>
><br>
> > <br>
> System.out.println("******************<br>
><br>
> > Snort Alert!!!!" + $s1.getData());<br>
><br>
> ><br>
><br>
> > retract($s1);<br>
><br>
> ><br>
><br>
> > end<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > Check out the docs, though:<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > <a href="https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622" target="_blank">https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622</a><br>
><br>
><br>
><br>
><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > The after operator in this case would check that (5m<br>
> <=<br>
><br>
> > $s2.startTimestamp - $s1.endTimeStamp <=<br>
> +infinity).<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > So the rule actually implements "Event 1 comes<br>
> in,<br>
><br>
> > then event 2 happens at leat 5 minutes later."<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > If you use the second argument of after I think it<br>
> would<br>
><br>
> > work:<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > $s2 : Snort( sig_name != "(portscan) Open<br>
> Port" ,<br>
><br>
> > id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
><br>
> > after [0m,5m] $s1) from entry-point<br>
> "Correlator"<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > According to the docs this should check that (0m<br>
> <=<br>
><br>
> > $s2.startTimestamp - $s1.endTimeStamp <= 5m).<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > You could alternately use "overlaps".<br>
> Place an<br>
><br>
> > @duration(5m) annotation on the Snort declaration and<br>
> try<br>
><br>
> > this condition:<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > $s2 : Snort( sig_name != "(portscan) Open<br>
> Port" ,<br>
><br>
> > id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>
><br>
> > overlaps $s1) from entry-point "Correlator"<br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > _______________________________________________<br>
><br>
> ><br>
><br>
> > rules-users mailing list<br>
><br>
> ><br>
><br>
> > <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
><br>
> ><br>
><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> ><br>
><br>
> > -----Inline Attachment Follows-----<br>
><br>
> ><br>
><br>
> > _______________________________________________<br>
><br>
> > rules-users mailing list<br>
><br>
> > <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
><br>
> > <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
> ><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
><br>
> rules-users mailing list<br>
><br>
> <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
><br>
> <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
><br>
> rules-users mailing list<br>
><br>
> <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
><br>
> <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
><br>
><br>
><br>
><br>
> --<br>
> Regards,<br>
> PriyaKathan<br>
><br>
><br>
><br>
> _______________________________________________<br>
><br>
> rules-users mailing list<br>
><br>
> <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
><br>
> <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
><br>
><br>
><br>
><br>
> -----Inline Attachment Follows-----<br>
><br>
> _______________________________________________<br>
> rules-users mailing list<br>
> <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
> <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
><br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
</div></div></blockquote></div></div></div><br>
</blockquote></div><br>