Re: [rules-users] CEP Rule Help Needed
Hi Edson,
Thanks for the fix, but the problem still happens :(
Here my complete .drl file:
package Correlator
global com.s2grupo.triton.global.Context Context
declare Snort
@role( event )
icmp_code: String
tcp_sport: String
data: String
sig_rev: String
tcp_dport: String
udp_sport: String
hostname: String
interface: String
sig_priority: String
icmp_type: String
id: java.lang.Long
sig_class_name: String
ip_dst: String
sig_name: String
udp_dport: String
ip_src: String
event_date: java.util.Date
end
rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
then
System.out.println("****************** Snort Alert!!!!" +
$s1.getData());
retract($s1);
end
rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "Correlator"
then
retract($s2);
System.out.println(" ********* Deleting Fact From WM");
end
rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from
entry-point "Correlator"
then
System.out.println("********* Snort Alert 0!!" + $s1.getData());
end
As you can see, I'm trying to correlate snort events with drools.
With this scenario, the only rule that is firing is "SnortRule0"
2009/7/21 Edson Tirelli <tirelli(a)post.com>
Your rule is wrong, as you are defining 3 patterns and the second
pattern is looking for a fact in the main entry point, not your defined
"MyEntryPoint".
Fix it doing:
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
[0m,5m] $s1) from entry-point "MyEntryPoint"
[]s
Edson
2009/7/21 nestabur <nestabur(a)gmail.com>
> Hi all,
>
> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>
> The rule is:
> ===============
> rule "RetractOlderFacts"
> dialect "mvel"
> when
> $s1 : MyModel( name != "aaa") from entry-point
> "MyEntryPoint"
> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
> and MyModel (
> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
> then
> retract($s2);
> System.out.println(" ********* Retracting from WM");
> end
> ===============
>
> The scenario is:
> "After receiving a fact "MyModel" wich name != "aaa", if
arrives another
> with same ip and different id after a period between 0 and 5 minutes the
> rule have to retract the last one and keep the first fact (the older one)"
>
> After receiving hundred and hundred of facts via JMS that may match with
> the
> rule condition, the rule never throws!
>
> is the rule correct?
> could the problem be at the rule engine implementation?
>
> Could anyone hel me please?
>
> Thanks in advance,
>
> nestabur
> --
> View this message in context:
> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
> Sent from the drools - user mailing list archive at Nabble.com.
>
> _______________________________________________
> rules-users mailing list
> rules-users(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Attachments:
- attachment.html (text/html — 5.4 KB)