3 a.m.
Hi,
Thanks for the response.
I am not sure I fully understand your answer.
After all the rewriting of the rules, I decided to try "(this meets $ce || this
during $ce || this metby $ce)" again.
Now the rule is fired, but an exception is thrown (not all times the rule is fired, just
once between the third and fourth event):
Exception in thread "Thread-1" java.lang.RuntimeException:
java.lang.NoSuchMethodException: com.checkpoint.correlation.impl.drools.Log.meets0()
at org.drools.rule.constraint.ConditionAnalyzer.analyzeNode(ConditionAnalyzer.java:239)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeSingleCondition(ConditionAnalyzer.java:133)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:99)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:140)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:140)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:141)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:141)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCombinedCondition(ConditionAnalyzer.java:141)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:96)
at
org.drools.rule.constraint.ConditionAnalyzer.analyzeCondition(ConditionAnalyzer.java:70)
at
org.drools.rule.constraint.MvelConditionEvaluator.getAnalyzedCondition(MvelConditionEvaluator.java:83)
at org.drools.rule.constraint.MvelConstraint.executeJitting(MvelConstraint.java:270)
at org.drools.rule.constraint.MvelConstraint.access$200(MvelConstraint.java:51)
at
org.drools.rule.constraint.MvelConstraint$ConditionJitter.run(MvelConstraint.java:250)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: java.lang.NoSuchMethodException:
com.checkpoint.correlation.impl.drools.Log.meets0()
at java.lang.Class.getMethod(Class.java:1622)
at org.drools.rule.constraint.ConditionAnalyzer.analyzeNode(ConditionAnalyzer.java:230)
... 20 more
The complete latest drl file is followed.
Duration for Log is 0, duration for CorrelatedEvent is 10s.
Did you have a chance to look at my (original) fourth question? This is the issue that
bothers me the most.
If necessary, I'll write everything again.
Thanks a lot.
This is my drl file:
----------------------------------------------------------------------------------------------------
package test;
import correlation.impl.drools.Log
import correlation.impl.drools.CorrelatedEvent
global correlation.server.EventsHandler externalEventsHandler;
declare Log
@role( event)
end
declare CorrelatedEvent
//@propertyReactive
@role( event)
@timestamp( getTimestamp())
@expires( 10s )
@duration( getDuration() )
end
// this rule will create a "Port Scan" event if none exist for this group-by
values rule "Create Port Scan Event"
dialect "java" //dialect can be either mvel or java for the RHS (only java
dialect support generic containers)
no-loop //this means - do not revaluate rules if the events were altered in
memory
when
$log : Log()
accumulate( Log( this after[0s,5s] $log, fieldsMap.get("src") ==
$log.fieldsMap.get("src") , fieldsMap.get("dst") ==
$log.fieldsMap.get("dst"), $port : fieldsMap.get("port"));
$portSet : collectSet($port);
$portSet.size > 2 )
accumulate( Log( this after[0s,5s] $log, fieldsMap.get("src") ==
$log.fieldsMap.get("src") , fieldsMap.get("dst") ==
$log.fieldsMap.get("dst") , $portSet.contains(fieldsMap.get("port")) ,
$marker : fieldsMap.get("marker"));
$markerSet : collectSet($marker))
not CorrelatedEvent(getName() == "portScan" ,
fieldsMap.get("src") == $log.fieldsMap.get("src") ,
fieldsMap.get("dst") == $log.fieldsMap.get("dst"))
then
CorrelatedEvent $ce = new CorrelatedEvent();
$ce.setName("portScan");
$ce.setEventsHandler(externalEventsHandler);
$ce.setDurationInSec(10);
$ce.fieldsMap.put("src", $log.fieldsMap.get("src"));
$ce.fieldsMap.put("dst", $log.fieldsMap.get("dst"));
$ce.endUpdate($markerSet, $portSet);
insert($ce);
end
rule "Create Port Scan Event - update"
dialect "java" //dialect can be either mvel or java for the RHS (only java
dialect support generic containers)
no-loop
when
$ce: CorrelatedEvent(getName() == "portScan", $portSet:
getUniqueSet())
$log: Log(fieldsMap.get("src") ==
$ce.fieldsMap.get("src") , fieldsMap.get("dst") ==
$ce.fieldsMap.get("dst") , !$portSet.contains(fieldsMap.get("port")),
(this meets $ce || this during $ce || this metby $ce))
then
modify( $ce ) {endUpdate($log.fieldsMap.get("marker").toString(),
$log.fieldsMap.get("port"))}
end
------------------------------------------------------------------------------------------------------------------------------------
-----Original Message-----
From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On
Behalf Of Wolfgang Laun
Sent: Sunday, September 22, 2013 7:06 PM
To: Rules Users List
Subject: Re: [rules-users] Implementation of my use case - what am I doing wrong?
On 22/09/2013, Elran Dvir <elrand(a)checkpoint.com> wrote:
Thanks for the response.
>Computationally, during the evaluation of the temporal operators.
>Why would you want to do this? (My advice to replace the temporal
>operators by the equivalent expressions was meant as a debugging aid,
>to show you where the problem with this constraint is.)
So if changing the condition to use startTimeStamp and endTimestamp
caused a compilation error, How can I debug my problem? What is the
equivalent of "(this meets $ce || this during $ce || this metby $ce)"
without my own startTimeStamp and endTimestamp fields?
So I'm quoting my reply from an earlier mail <quote>
Elran Dvir <elrand(a)checkpoint.com> wrote:
2) When I tested it with matching data, rule "Create Port Scan Event -
update" was never fired. When I replaced "(this meets $ce || this
during $ce
|| this metby $ce)" with "this after $ce.getStartTime() , this before
$ce.getEndTime()" everything worked fine.
Why?
Just take the constraints and replace the temporal operator by its definition in the
"Fusion" manual and use a little elementary math:
A meets || A during B || A metby B
becomes
abs( B.startTimestamp - A.endTimestamp ) == 0 ||
B.startTimestamp < A.startTimestamp && A.endTimestamp < B.endTimestamp ||
abs( A.startTimestamp - B.endTimestamp ) == 0 becomes
...
</quote>
Did you overlook the "use a little elementary math"? YOu'll have to provide
the values for start and, given the duration (zero,
presumably) the end time. If B has a duration of 0, there's no way the second term can
ever be true. And if A has a duration of 0 too, A and B must have the same timestamp in
order for the other terms to be true.
Note that "debugging" was meant to be done offline ;-)
> - Why do you use this complex declare?
> @timestamp( timestamp ) @duration( duration )
> is sufficient.
I want to protect the fields from being set outside their designated
functions .I simplified it a bit in my correction.
I don't know of any danger of your field being set outside their designated functions
by simply writing the field name between the parentheses.
-W
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Email secured by Check Point