Implementation of my use case - what am I doing wrong?
by Elran Dvir
Hi all,
A few weeks ago I posted a question about my use case to the mailing list. The correspondence is attached.
This is the example of the use case I implemented:
Port scan event - the basic event is connection log. For each combination
of source_ip and destination_ip, detect a port scan event,
if over 5 seconds there were more than 2 connection logs with
different ports .
The event will stay open for 10 seconds and an update will be
sent for any new port detected. Every update will contain the count of
connection logs combining it and their id ("marker").
the drl fie:
package test;
import correlation.impl.drools.Log
import correlation.impl.drools.CorrelatedEvent
global correlation.server.EventsHandler externalEventsHandler;
declare Log
@role( event)
end
declare CorrelatedEvent
@role( event)
@timestamp( getTimestamp().getTime() )
@expires( 10s )
@duration( getDuration() )
end
// this rule will create a "Port Scan" event if none exist for this group-by values
rule "Create Port Scan Event"
dialect "java"
no-loop
when
$log : Log() from entry-point "Log stream" //get all the logs in the last 5 seconds
accumulate( Log( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $port : fieldsMap.get("port")) from entry-point "Log stream";
$portSet : collectSet($port);
$portSet.size > 2 )
accumulate( Log( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $marker : fieldsMap.get("marker")) from entry-point "Log stream";
$markerSet : collectSet($marker))
not CorrelatedEvent(getName() == "portScan" , fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"))
then
System.out.println(drools.getRule().getName());
CorrelatedEvent $ce = new CorrelatedEvent();
$ce.setName("portScan");
$ce.setEventsHandler(externalEventsHandler);
$ce.setDurationInSec(10);
$ce.fieldsMap.put("src", $log.fieldsMap.get("src"));
$ce.fieldsMap.put("dst", $log.fieldsMap.get("dst"));
$ce.endUpdate($markerSet);
insert($ce);
end
rule "Create Port Scan Event - update"
dialect "java"
no-loop
when
$ce: CorrelatedEvent(getName() == "portScan")
accumulate( Log(fieldsMap.get("src") == $ce.fieldsMap.get("src") , fieldsMap.get("dst") == $ce.fieldsMap.get("dst") , $port : fieldsMap.get("port") , (this meets $ce || this during $ce || this metby $ce)) from entry-point "Log stream";
$portSet : collectSet($port);
$portSet.size > 0 )
accumulate( Log(fieldsMap.get("src") == $ce.fieldsMap.get("src") , fieldsMap.get("dst") == $ce.fieldsMap.get("dst") , $marker : fieldsMap.get("marker") , (this meets $ce || this during $ce || this metby $ce)) from entry-point "Log stream";
$markerSet : collectSet($marker))
then
System.out.println(drools.getRule().getName());
modify( $ce ) {endUpdate($markerSet)}
end
my questions:
1) If I have only one stream of data , can I omit the use of entry point and insert logs to the session ? Or the use of entry points is mandatory in Drools Fusion?
2) When I tested it with matching data, rule "Create Port Scan Event - update" was never fired. When I replaced "(this meets $ce || this during $ce || this metby $ce)" with "this after $ce.getStartTime() , this before $ce.getEndTime()" everything worked fine.
Why?
3) I tried to use sliding windows in rule "Create Port Scan Event" and an exception was thrown at runtime. I decided to use "this after[0s,5s] $log" instead. Is it correct?
4) Is my basic Implementation correct?
Thank you all very much.
Log class:
public class Log {
public HashMap<String, Object> fieldsMap = new HashMap<>();
}
CorrelatedEvent class:
public class CorrelatedEvent
{
public Map<String, Object> fieldsMap;
private String name;
private Set<String> markersSet;
private long logsCount;
private Calendar startTime;
private Calendar endTime;
private int duration;
private EventsHandler eventsHandler;
public CorrelatedEvent()
{
startTime = Calendar.getInstance();
endTime = Calendar.getInstance();
endTime.setTime(startTime.getTime());
fieldsMap = new HashMap<>();
markersSet = new HashSet<>();
logsCount = 0;
}
public Date getTimestamp()
{
return startTime.getTime();
}
public Date getStartTime()
{
return startTime.getTime();
}
public Date getEndTime()
{
return endTime.getTime();
}
public void setDurationInSec(int duration)
{
this.duration = duration;
endTime.setTime(startTime.getTime());
endTime.add(Calendar.SECOND, duration);
}
public int getDuration()
{
return duration;
}
public String getName()
{
return name;
}
public void setName(String name)
{
this.name = name;
fieldsMap.put("name", name);
}
public void setEventsHandler(EventsHandler eventsHandler)
{
this.eventsHandler = eventsHandler;
}
public void endUpdate(Set<String> markersSet)
{
this.markersSet.addAll(markersSet);
if (this.markersSet.size() > logsCount) {
logsCount = this.markersSet.size();
if (eventsHandler == null)
return;
Map<String, Object> clonedFieldsMap = getClonedFieldsMap();
clonedFieldsMap.put("markers", this.markersSet.toString()); //need a function that converts a set of markers to a "\n" separated list
clonedFieldsMap.put("count", logsCount);
eventsHandler.handleEvent(clonedFieldsMap);
}
}
private Map<String, Object> getClonedFieldsMap()
{
Map<String, Object> clonedFieldsMap = new HashMap<>();
clonedFieldsMap.putAll(fieldsMap);
return clonedFieldsMap;
}
}
12 years, 3 months
Drools 6 and Janino
by rib
Hi there,
I need to replace the JDT compiler with Janino in a project and the only
information within the documentation is this:
NOTE: if you are using Drools in J2EE or servlet containers and you come
across classpath issues with "JDT", then you can switch to the janino
compiler. Set the system property "drools.compiler": For example:
-Ddrools.compiler=JANINO.
After doing this I get compilation problems, so my questions are:
Which version of Janino do I need to include?
The behaviour should be the same as with JDT or are there any other aspects
I have to consider?
Thanks,
Richard
--
View this message in context: http://drools.46999.n3.nabble.com/Drools-6-and-Janino-tp4026318.html
Sent from the Drools: User forum mailing list archive at Nabble.com.
12 years, 3 months
Inconsistency in the Guvnor rule editor and the Eclipse plugin editor
by Rushabh
Hi I have been trying the eclipse editor and the Guvnor rule editor(Technical
rule) and I see that there are some inconsistencies in them for eg: Lets say
I want to call a Java method call */max/*
In the Guvnor I can write it likewise
import java.lang.*
rule "Java"
when
#conditions
acc:Account()
Account(bal<max(10,15))
then
#actions
System.out.println("Got it");
end
Pay notice to the max method here, if I write the same rule in the Eclipse
editor I will get an error saying that cannot resolve Account.max() method.
I have to include the entire package name even though I include the import
statement like so :
Eclise plugin version
import java.lang.*
rule "JAva"
when
#conditions
acc:Account()
Account(11<java.lang.Math.min(bal,15))
then
#actions
System.out.println("Got it");
end
Can anyone help me understand why this difference in behavior.
Thanks.
--
View this message in context: http://drools.46999.n3.nabble.com/Inconsistency-in-the-Guvnor-rule-editor...
Sent from the Drools: User forum mailing list archive at Nabble.com.
12 years, 3 months
Any limitation on the count of properties when declare new class in drl file?
by haoruiqian@gmail.com
Hi,
I encountered a strange problem these days, I declared a new class a.b in drl file using keyword "declare", it has too many properties, larger than 64, then when fire rules, it threw ClassCastException, told me class a.b cannot be casted to a.b, but actually these are same class.
I tried to remove some properties made it less than 64, no CCE when fire rules.
This just happened in my product environment, if I run the rules in a pure drools environment in Eclipse, no exception even the count is larger than 64, anybody know why this happened?
The version of drools we used in our production is 6.0, we forked the code from GitHub, so maybe it's not up to date.
Thanks,
Richie
12 years, 3 months
Multiple calculation on same object
by sriksama
I recently encountered below scenario for a rule. I want to know how to
proceed with the rule design for this.
Class Emp{
beingDate:Date
endDate:Date
}
Rule to determine annual income for the employee based on the given dates:
For dates before 3/5/2003 the hourly rate is $3.5 and annual multiplier is
2100.
For dates after 3/5/2003 the hourly rate changes every year (given data) and
annual multiplier is 2092.
There might be scenarios where begin date is before 3/5/2003 and end date is
after 3/5/2003.
What is the best way to design rules for this scenario.
--
View this message in context: http://drools.46999.n3.nabble.com/Multiple-calculation-on-same-object-tp4...
Sent from the Drools: User forum mailing list archive at Nabble.com.
12 years, 3 months
