Hi Edson,
Thanks for the fix, but the problem still happens :(
Here my complete .drl file:
package Correlator
global com.s2grupo.triton.global.Context Context
declare Snort
@role( event )
icmp_code: String
tcp_sport: String
data: String
sig_rev: String
tcp_dport: String
udp_sport: String
hostname: String
interface: String
sig_priority: String
icmp_type: String
id: java.lang.Long
sig_class_name: String
ip_dst: String
sig_name: String
udp_dport: String
ip_src: String
event_date: java.util.Date
end
rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
then
System.out.println("****************** Snort Alert!!!!" + $s1.getData());
retract($s1);
end
rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id, this after [0m,5m] $s1) from entry-point "Correlator"
then
retract($s2);
System.out.println(" ********* Deleting Fact From WM");
end
rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from entry-point "Correlator"
then
System.out.println("********* Snort Alert 0!!" + $s1.getData());
end
As you can see, I'm trying to correlate snort events with drools.
With this scenario, the only rule that is firing is "SnortRule0"
2009/7/21 Edson Tirelli
<tirelli@post.com>
Your rule is wrong, as you are defining 3 patterns and the second pattern is looking for a fact in the main entry point, not your defined "MyEntryPoint".
Fix it doing:
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after [0m,5m] $s1) from entry-point "MyEntryPoint"
[]s
Edson
2009/7/21 nestabur
<nestabur@gmail.com>
Hi all,
I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
The rule is:
===============
rule "RetractOlderFacts"
dialect "mvel"
when
$s1 : MyModel( name != "aaa") from entry-point "MyEntryPoint"
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1) and MyModel (
this after [0m,5m] $s1) from entry-point "MyEntryPoint"
then
retract($s2);
System.out.println(" ********* Retracting from WM");
end
===============
The scenario is:
"After receiving a fact "MyModel" wich name != "aaa", if arrives another
with same ip and different id after a period between 0 and 5 minutes the
rule have to retract the last one and keep the first fact (the older one)"
After receiving hundred and hundred of facts via JMS that may match with the
rule condition, the rule never throws!
is the rule correct?
could the problem be at the rule engine implementation?
Could anyone hel me please?
Thanks in advance,
nestabur
--
View this message in context: http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
Sent from the drools - user mailing list archive at Nabble.com.
_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users