Re: [rules-users] Is my use case suuported in Drools?

Wednesday, 14 August 2013

Srini,

Thank you very much.

-----Original Message-----
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On
Behalf Of VGore
Sent: Tuesday, August 13, 2013 2:12 PM
To: rules-users(a)lists.jboss.org
Subject: Re: [rules-users] Is my use case suuported in Drools?

This sample address bruteforce  attack to capture login failure. 

---------------------------------------------------------------------------------------------------
declare Event
	@role( event )
	@timestamp( eventTime )
	@expires (60s)
end

declare CorrelationEvent
	@role( event )
end

rule "CorrelationLogin Level 1"
dialect "mvel"
no-loop
  when
    $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress :
dipaddress, $type : type == "LOGIN", $result : result =="FAILED")
over
window:time(50s) from entry-point EventStream  
     not CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress ==
$dipaddress)
  then
   CorrelationEvent ce = new CorrelationEvent();
   ce.setSipaddress($e1.sipaddress);
   ce.setDipaddress($e1.dipaddress);
   ce.setLevel(1);
   ce.setEventCount(1);
  insert( ce );
end

rule "CorrelationLogin Level 2"
dialect "mvel"
no-loop
  when
    $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress :
dipaddress, $type : type == "LOGIN", $result : result =="FAILED")
over
window:time(50s) from entry-point EventStream  
    $ce : CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress == $dipaddress,
this.level == 1, $eventCount : this.eventCount < 10)
  then
    $ce.setEventCount($eventCount+1);
    if($ce.getEventCount() == 10) {
    	$ce.setLevel(2);
    }  	
  modify( $ce );
end

rule "CorrelationLogin Level 3"
dialect "mvel"
no-loop
  when
    $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress :
dipaddress, $type : type == "LOGIN", $result : result =="FAILED")
over
window:time(50s) from entry-point EventStream  
    $ce : CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress == $dipaddress,
this.level == 2, $eventCount : this.eventCount < 40)
  then
    $ce.setEventCount($eventCount+1);
    if($ce.getEventCount() == 40) {
    	$ce.setLevel(3);
    }  	
  modify( $ce );
end
----------------------------------------------------------------------------------------------------

--
View this message in context:
http://drools.46999.n3.nabble.com/rules-users-Is-my-use-case-suuported-in...
Sent from the Drools: User forum mailing list archive at Nabble.com.
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Email secured by Check Point

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: [rules-users] Is my use case suuported in Drools?