Re: [rules-users] Implementation of my use case - what am I doing wrong?

Thanks for the quick response. I have some more questions: 1. As I understand it, the timestamp attribute should be long type representing the milliseconds since January 1, 1970, 00:00:00 GMT. Am I right?

2. As I understand it, the duration attribute should be in milliseconds. I fixed it accordingly. Am I right?

3. When I replaced "(this meets $ce || this during $ce || this metby $ce)" with "$ce.startTimestamp <= startTimestamp , endTimestamp <= $ce.endTimestamp" I got the following drools compile exceptions: Unable to Analyse Expression $ce.startTimestamp: [Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()] [Near : {... $ce.startTimestamp ....}] ^ [Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update'] Unable to Analyse Expression $ce.startTimestamp <= startTimestamp: [Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()] [Near : {... $ce.startTimestamp <= startTimesta ....}] ^ [Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update'] Unable to Analyse Expression endTimestamp <= $ce.endTimestamp: [Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CpLog.endTimestamp()] [Near : {... endTimestamp <= $ce.endTimesta ....}] ^ [Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update'] Unable to Analyse Expression $ce.startTimestamp: [Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()] [Near : {... $ce.startTimestamp ....}] Why?

4. I tested my working implementation of temporal relation in rule "Create Port Scan Event - update" ("this after $ce.getStartTime() , this before $ce.getEndTime()") .

Why is that? Where the first 3 events disappeared? How "portSet" is empty with the condition $portSet.size > 2?

Thanks a lot. -----Original Message----- From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On Behalf Of Wolfgang Laun Sent: Sunday, September 15, 2013 8:08 PM To: Rules Users List Subject: Re: [rules-users] Implementation of my use case - what am I doing wrong? On 15/09/2013, Elran Dvir <elrand(a)checkpoint.com&gt; wrote: > my questions: > > 1) If I have only one stream of data , can I omit the use of entry > point and insert logs to the session ? Or the use of entry points is > mandatory in Drools Fusion? Yes. No. An entry point is just an additional attribute added "on the fly", where you don't have a source identification in the pojo. > > 2) When I tested it with matching data, rule "Create Port Scan Event > - > update" was never fired. When I replaced "(this meets $ce || this > during $ce > || this metby $ce)" with "this after $ce.getStartTime() , this before > $ce.getEndTime()" everything worked fine. > Why? Just take the constraints and replace the temporal operator by its definition in the "Fusion" manual and use a little elementary math: A meets || A during B || A metby B becomes abs( B.startTimestamp - A.endTimestamp ) == 0 || B.startTimestamp < A.startTimestamp && A.endTimestamp < B.endTimestamp || abs( A.startTimestamp - B.endTimestamp ) == 0 becomes ... > > 3) I tried to use sliding windows in rule "Create Port Scan Event" > and > an exception was thrown at runtime. I decided to use "this > after[0s,5s] $log" instead. Is it correct? A sliding window is not the same as the temporal relation of two events. If the rule does what it ought to, I'd say, yes, it is correct. > > 4) Is my basic Implementation correct? A bit much to ask, don't you think? -W _______________________________________________ rules-users mailing list rules-users(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users Email secured by Check Point _______________________________________________ rules-users mailing list rules-users(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users