Re: [rules-users] CEP Rule Help Needed
Ah, overlooked that second rule. Have you tried the overlap operator?
So, just to clarify, the purpose of the two rules should be:
SnortRule: If two Snort events that are not port scans of an open port on the same
destination arrive more than 5 minutes apart, delete the earlier one.
SnortRuleRetract: If two Snort events that are not port scans of an open port on any two
destinations arrive within 5 minutes of each other, delete the earlier one.
Have you tried removing the temporal operators completely, just for testing purposes?
What happens? i.e.
"TimelessSnortRule"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst
== $s1.ip_dst) from entry-point "Correlator"
"TimelessSnortRuleRetract"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) from
entry-point "Correlator"
--- On Wed, 7/22/09, Nestor Tarin Burriel <nestabur(a)gmail.com> wrote:
From: Nestor Tarin Burriel <nestabur(a)gmail.com>
Subject: Re: [rules-users] CEP Rule Help Needed
To: "Rules Users List" <rules-users(a)lists.jboss.org>
Date: Wednesday, July 22, 2009, 1:47 PM
Thanks Greg,
As you can see in the code I sent, I have the 2
implementations:
"SnortRule"
$s1 : Snort( sig_name !=
"(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan)
Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
after [5m] $s1) from entry-point "Correlator"
"SnortRuleRetract"
$s1 : Snort( sig_name !=
"(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan)
Open Port" , id != $s1.id, this after [0m,5m] $s1) from
entry-point "Correlator"
and any of them are thrown
...
2009/7/22 Greg Barton <greg_barton(a)yahoo.com>
Maybe this is a problem of language. Here's what you
say the rule should do:
'After receiving a fact "MyModel" wich name
!= "aaa", if arrives another
with same ip and different id after a
period between 0 and 5 minutes the
rule have to retract the last one and keep the first
fact (the older one)'
Which I would interpret as "Event 1 comes in, then
event 2 comes in between 0 and 5 minutes later." Does
that sound right?
And here's the rule that you think fits the
requirements:
rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open
Port") from entry-point "Correlator"
$s2 : Snort( sig_name != "(portscan) Open
Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
after [5m] $s1) from entry-point "Correlator"
then
System.out.println("******************
Snort Alert!!!!" + $s1.getData());
retract($s1);
end
Check out the docs, though:
https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/t...
The after operator in this case would check that (5m <=
$s2.startTimestamp - $s1.endTimeStamp <= +infinity).
So the rule actually implements "Event 1 comes in,
then event 2 happens at leat 5 minutes later."
If you use the second argument of after I think it would
work:
$s2 : Snort( sig_name != "(portscan) Open Port" ,
id != $s1.id, ip_dst == $s1.ip_dst, this
after [0m,5m] $s1) from entry-point "Correlator"
According to the docs this should check that (0m <=
$s2.startTimestamp - $s1.endTimeStamp <= 5m).
You could alternately use "overlaps". Place an
@duration(5m) annotation on the Snort declaration and try
this condition:
$s2 : Snort( sig_name != "(portscan) Open Port" ,
id != $s1.id, ip_dst == $s1.ip_dst, this
overlaps $s1) from entry-point "Correlator"
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
-----Inline Attachment Follows-----
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users