
Hi all again,<br><br>At the end I have my rules firing as expected :)<br><br>I had to add the expires() attribute at the model, otherwise my facts were immediatly retracted by the engine.<br><br>Thanks to all ;)<br><br>NEStor<br>

<br><div class="gmail_quote">2009/7/23 Nestor Tarin Burriel <span dir="ltr">&lt;<a href="mailto:nestabur@gmail.com">nestabur@gmail.com</a>&gt;</span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

In my case yes...<br><br><div class="gmail_quote">2009/7/23 Greg Barton <span dir="ltr">&lt;<a href="mailto:greg_barton@yahoo.com" target="_blank">greg_barton@yahoo.com</a>&gt;</span><div><div></div><div class="h5"><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">


<br>

So do you mean this didn&#39;t work:<br>

<div><br>

myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);<br>

<br>

for (Fact a : Facts)<br>

</div>     ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a);<br>

<br>

...but this did?<br>

<div><br>

myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);<br>

<br>

for (Fact a : Facts)<br>

     myWorkingMemoryEP.insert(a);<br>

<br>

<br>

</div><div>--- On Thu, 7/23/09, Nestor Tarin Burriel &lt;<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>&gt; wrote:<br>

<br>

&gt; From: Nestor Tarin Burriel &lt;<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>&gt;<br>

&gt; Subject: Re: [rules-users] CEP Rule Help Needed<br>

&gt; To: &quot;Rules Users List&quot; &lt;<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a>&gt;<br>

</div>&gt; Date: Thursday, July 23, 2009, 9:47 AM<br>

<div>&gt; Finally I&#39;ve solved my problem. It<br>

&gt; was in the engine:<br>

&gt;<br>

&gt; Looking the doc, for inserting a new fact into a stream of<br>

&gt; the working memory says:<br>

&gt;<br>

&gt;  ksession.getWorkingMemoryEntryPoint(&quot;MyEntryPoint&quot;).insert();<br>

&gt;<br>

&gt;<br>

&gt; Which is perfect but not for my enviroment ;), I was<br>

&gt; inserting the events in differents WM cause in each one I<br>

&gt; did <br>

&gt; ksession.getWorkingMemoryEntryPoint(&quot;MyEntryPoint&quot;).insert(myFact);<br>

&gt; so I solved it doing:<br>

&gt;<br>

&gt;<br>

&gt; myWorkingMemoryEP =<br>

&gt; ksession.getWorkingMemoryEntryPoint(correlatorName);<br>

&gt;<br>

&gt; for (Fact a : Facts)<br>

&gt;      myWorkingMemoryEP.insert(a);<br>

&gt;<br>

&gt; I dont know if this is the correct use of EntryPoints bu it<br>

&gt; works!<br>

&gt;<br>

&gt;<br>

&gt; Thanks to everybody especially Greg and Priya :)<br>

&gt;<br>

</div><div>&gt; 2009/7/23 PriyaKathan &lt;<a href="mailto:nash.8103@gmail.com" target="_blank">nash.8103@gmail.com</a>&gt;<br>

&gt;<br>

</div><div><div></div><div>&gt; Hi<br>

&gt;<br>

&gt; Find attached  working example for CEP rule with the<br>

&gt; scenario you stated.Here I used Psuedo<br>

&gt; clock.Hope this would help you to understand<br>

&gt; better.<br>

&gt; Regards,<br>

&gt;<br>

&gt; Priya<br>

&gt;<br>

&gt; 2009/7/23 Nestor Tarin Burriel<br>

&gt; &lt;<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>&gt;<br>

&gt;<br>

&gt;<br>

&gt; Hi again Greg,<br>

&gt;<br>

&gt; I&#39;ve tried your suggestion and it seems like the facts<br>

&gt; that is the rule checking are the same.<br>

&gt;<br>

&gt; This is my last try:<br>

&gt;<br>

&gt; rule &quot;SnortRuleRetract&quot;<br>

&gt;     dialect &quot;mvel&quot;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;     when<br>

&gt;         $s1 : Snort( sig_name != &quot;(portscan)<br>

&gt; Open Port&quot;)<br>

&gt;         $s2 : Snort ( sig_name !=<br>

&gt; &quot;(portscan) Open Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>)<br>

&gt;     then<br>

&gt;<br>

&gt;<br>

&gt;         retract($s2);<br>

&gt;<br>

&gt;         System.out.println(&quot; ********* Deleting<br>

&gt; from WM&quot;);<br>

&gt; end<br>

&gt;<br>

&gt; And is never fired ...<br>

&gt;<br>

&gt; There are no more rules in the package, this is the only<br>

&gt; one ... so I don&#39;t understand anything ... could be the<br>

&gt; error in the engine? I dont retract any fact ... as you can<br>

&gt; see in my code ...<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; NEStor<br>

&gt;<br>

&gt; 2009/7/23 Nestor Tarin Burriel<br>

&gt; &lt;<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; Yes, that is the purpose ;)<br>

&gt;<br>

&gt; I will try ;)<br>

&gt;<br>

&gt; Thanks 4 your help<br>

&gt;<br>

&gt; 2009/7/22 Greg Barton &lt;<a href="mailto:greg_barton@yahoo.com" target="_blank">greg_barton@yahoo.com</a>&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; Ah, overlooked that second rule.  Have you tried the<br>

&gt; overlap operator?<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; So, just to clarify, the purpose of the two rules should<br>

&gt; be:<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; SnortRule: If two Snort events that are not port scans of<br>

&gt; an open port on the same destination arrive more than 5<br>

&gt; minutes apart, delete the earlier one.<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; SnortRuleRetract: If two Snort events that are not port<br>

&gt; scans of an open port on any two destinations arrive within<br>

&gt; 5 minutes of each other, delete the earlier one.<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; Have you tried removing the temporal operators completely,<br>

&gt; just for testing purposes?  What happens?  i.e.<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; &quot;TimelessSnortRule&quot;<br>

&gt;<br>

&gt;         $s1 : Snort( sig_name != &quot;(portscan)<br>

&gt; Open Port&quot;) from entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;         $s2 : Snort( sig_name != &quot;(portscan)<br>

&gt; Open Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst) from<br>

&gt; entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; &quot;TimelessSnortRuleRetract&quot;<br>

&gt;<br>

&gt;         $s1 : Snort( sig_name != &quot;(portscan)<br>

&gt; Open Port&quot;) from entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;         $s2 : Snort ( sig_name !=<br>

&gt; &quot;(portscan) Open Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>) from<br>

&gt; entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; --- On Wed, 7/22/09, Nestor Tarin Burriel &lt;<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>&gt;<br>

&gt; wrote:<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; &gt; From: Nestor Tarin Burriel &lt;<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>&gt;<br>

&gt;<br>

&gt; &gt; Subject: Re: [rules-users] CEP Rule Help Needed<br>

&gt;<br>

&gt; &gt; To: &quot;Rules Users List&quot; &lt;<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a>&gt;<br>

&gt;<br>

&gt; &gt; Date: Wednesday, July 22, 2009, 1:47 PM<br>

&gt;<br>

&gt; &gt; Thanks Greg,<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; As you can see in the code I sent, I have the 2<br>

&gt;<br>

&gt; &gt; implementations:<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; &quot;SnortRule&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;         $s1 : Snort( sig_name !=<br>

&gt;<br>

&gt; &gt; &quot;(portscan) Open Port&quot;) from entry-point<br>

&gt;<br>

&gt; &gt; &quot;Correlator&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;         $s2 : Snort( sig_name !=<br>

&gt; &quot;(portscan)<br>

&gt;<br>

&gt; &gt; Open Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst ==<br>

&gt; $s1.ip_dst, this<br>

&gt;<br>

&gt; &gt; after [5m] $s1) from entry-point<br>

&gt; &quot;Correlator&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; &quot;SnortRuleRetract&quot;<br>

&gt;<br>

&gt; &gt;         $s1 : Snort( sig_name !=<br>

&gt;<br>

&gt; &gt; &quot;(portscan) Open Port&quot;) from entry-point<br>

&gt;<br>

&gt; &gt; &quot;Correlator&quot;<br>

&gt;<br>

&gt; &gt;         $s2 : Snort ( sig_name !=<br>

&gt; &quot;(portscan)<br>

&gt;<br>

&gt; &gt; Open Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>, this after<br>

&gt; [0m,5m] $s1) from<br>

&gt;<br>

&gt; &gt; entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; and any of them are thrown<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; ...<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; 2009/7/22 Greg Barton &lt;<a href="mailto:greg_barton@yahoo.com" target="_blank">greg_barton@yahoo.com</a>&gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; Maybe this is a problem of language.  Here&#39;s what<br>

&gt; you<br>

&gt;<br>

&gt; &gt; say the rule should do:<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; &#39;After receiving a fact &quot;MyModel&quot; wich<br>

&gt; name<br>

&gt;<br>

&gt; &gt; != &quot;aaa&quot;, if arrives another<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; with same ip and different id after a<br>

&gt;<br>

&gt; &gt; period between 0 and 5 minutes the<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; rule have to retract the last one and keep the first<br>

&gt;<br>

&gt; &gt; fact (the older one)&#39;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; Which I would interpret as &quot;Event 1 comes in,<br>

&gt; then<br>

&gt;<br>

&gt; &gt; event 2 comes in between 0 and 5 minutes later.&quot;<br>

&gt;  Does<br>

&gt;<br>

&gt; &gt; that sound right?<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; And here&#39;s the rule that you think fits the<br>

&gt;<br>

&gt; &gt; requirements:<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; rule &quot;SnortRule&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;     salience 2<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;     dialect &quot;mvel&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;     when<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;         $s1 : Snort( sig_name != &quot;(portscan)<br>

&gt; Open<br>

&gt;<br>

&gt; &gt; Port&quot;) from entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;         $s2 : Snort( sig_name != &quot;(portscan)<br>

&gt; Open<br>

&gt;<br>

&gt; &gt; Port&quot; , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>

&gt;<br>

&gt; &gt; after [5m] $s1) from entry-point<br>

&gt; &quot;Correlator&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;     then<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;       <br>

&gt;  System.out.println(&quot;******************<br>

&gt;<br>

&gt; &gt; Snort Alert!!!!&quot; + $s1.getData());<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;         retract($s1);<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; end<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; Check out the docs, though:<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; <a href="https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622" target="_blank">https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622</a><br>


&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; The after operator in this case would check that (5m<br>

&gt; &lt;=<br>

&gt;<br>

&gt; &gt; $s2.startTimestamp - $s1.endTimeStamp &lt;=<br>

&gt; +infinity).<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; So the rule actually implements &quot;Event 1 comes<br>

&gt; in,<br>

&gt;<br>

&gt; &gt; then event 2 happens at leat 5 minutes later.&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; If you use the second argument of after I think it<br>

&gt; would<br>

&gt;<br>

&gt; &gt; work:<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; $s2 : Snort( sig_name != &quot;(portscan) Open<br>

&gt; Port&quot; ,<br>

&gt;<br>

&gt; &gt; id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>

&gt;<br>

&gt; &gt; after [0m,5m] $s1) from entry-point<br>

&gt; &quot;Correlator&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; According to the docs this should check that (0m<br>

&gt; &lt;=<br>

&gt;<br>

&gt; &gt; $s2.startTimestamp - $s1.endTimeStamp &lt;= 5m).<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; You could alternately use &quot;overlaps&quot;.<br>

&gt;  Place an<br>

&gt;<br>

&gt; &gt; @duration(5m) annotation on the Snort declaration and<br>

&gt; try<br>

&gt;<br>

&gt; &gt; this condition:<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; $s2 : Snort( sig_name != &quot;(portscan) Open<br>

&gt; Port&quot; ,<br>

&gt;<br>

&gt; &gt; id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this<br>

&gt;<br>

&gt; &gt; overlaps $s1) from entry-point &quot;Correlator&quot;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; _______________________________________________<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; rules-users mailing list<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; -----Inline Attachment Follows-----<br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt; &gt; _______________________________________________<br>

&gt;<br>

&gt; &gt; rules-users mailing list<br>

&gt;<br>

&gt; &gt; <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>

&gt;<br>

&gt; &gt; <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

&gt;<br>

&gt; &gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; _______________________________________________<br>

&gt;<br>

&gt; rules-users mailing list<br>

&gt;<br>

&gt; <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>

&gt;<br>

&gt; <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; _______________________________________________<br>

&gt;<br>

&gt; rules-users mailing list<br>

&gt;<br>

&gt; <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>

&gt;<br>

&gt; <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; --<br>

&gt; Regards,<br>

&gt; PriyaKathan<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; _______________________________________________<br>

&gt;<br>

&gt; rules-users mailing list<br>

&gt;<br>

&gt; <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>

&gt;<br>

&gt; <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt;<br>

&gt; -----Inline Attachment Follows-----<br>

&gt;<br>

&gt; _______________________________________________<br>

&gt; rules-users mailing list<br>

&gt; <a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>

&gt; <a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

&gt;<br>

<br>

<br>

<br>

<br>

_______________________________________________<br>

rules-users mailing list<br>

<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>

<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>

</div></div></blockquote></div></div></div><br>

</blockquote></div><br>