Re: [rules-users] Is my use case suuported in Drools?

Tuesday, 13 August 2013

This sample address bruteforce  attack to capture login failure. 

---------------------------------------------------------------------------------------------------
declare Event
	@role( event )
	@timestamp( eventTime )
	@expires (60s)
end

declare CorrelationEvent
	@role( event )
end

rule "CorrelationLogin Level 1"
dialect "mvel"
no-loop
  when
    $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress :
dipaddress, $type : type == "LOGIN", $result : result =="FAILED")
over
window:time(50s) from entry-point EventStream  
     not CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress ==
$dipaddress)  
  then
   CorrelationEvent ce = new CorrelationEvent();
   ce.setSipaddress($e1.sipaddress);
   ce.setDipaddress($e1.dipaddress);
   ce.setLevel(1);
   ce.setEventCount(1);
  insert( ce );
end

rule "CorrelationLogin Level 2"
dialect "mvel"
no-loop
  when
    $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress :
dipaddress, $type : type == "LOGIN", $result : result =="FAILED")
over
window:time(50s) from entry-point EventStream  
    $ce : CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress
== $dipaddress, this.level == 1, $eventCount : this.eventCount < 10)  
  then
    $ce.setEventCount($eventCount+1);
    if($ce.getEventCount() == 10) {
    	$ce.setLevel(2);
    }  	
  modify( $ce );
end

rule "CorrelationLogin Level 3"
dialect "mvel"
no-loop
  when
    $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress :
dipaddress, $type : type == "LOGIN", $result : result =="FAILED")
over
window:time(50s) from entry-point EventStream  
    $ce : CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress
== $dipaddress, this.level == 2, $eventCount : this.eventCount < 40)  
  then
    $ce.setEventCount($eventCount+1);
    if($ce.getEventCount() == 40) {
    	$ce.setLevel(3);
    }  	
  modify( $ce );
end
----------------------------------------------------------------------------------------------------

--
View this message in context:
http://drools.46999.n3.nabble.com/rules-users-Is-my-use-case-suuported-in...
Sent from the Drools: User forum mailing list archive at Nabble.com.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: [rules-users] Is my use case suuported in Drools?