[rules-users] using eval(function(this))) in rule LHS
Hi all,
I have the a drl similar to the following drl:
package com.checkpoint.correlation.impl.drools.package1;
import java.util.Date
import java.util.HashMap
import com.checkpoint.correlation.impl.drools.Log
import com.checkpoint.correlation.impl.drools.CorrelatedEvent
global com.checkpoint.correlation.server.EventsHandler externalEventsHandler;
function boolean filter(Log log) {
return (log.fieldsMap.get("port")!= null &&
(!log.fieldsMap.get("product").toString().equals("-1")));
}
function String calcSeverity(Log log) {
return "High";
}
declare Log
@role( event)
end
declare CorrelatedEvent
@role( event)
@expires( 10s )
end
// this rule will create a "Port Scan" event if none exist for this group-by
values
rule "Create Port Scan Event"
dialect "java"
no-loop
when
$log : Log(eval(filter(this)))
accumulate(Log(eval(filter(this)) , this after[0s,5s] $log,
fieldsMap.get("src") == $log.fieldsMap.get("src") ,
fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $port :
fieldsMap.get("port"));
$portSet : collectSet($port);
$portSet.size > 2 )
accumulate( CpLog(eval(filter(this)), this after[0s,5s] $log,
fieldsMap.get("src") == $log.fieldsMap.get("src") ,
fieldsMap.get("dst") == $log.fieldsMap.get("dst"),
$portSet.contains(fieldsMap.get("port")), $marker :
fieldsMap.get("marker"));
$markerSet : collectSet($marker))
not CorrelatedEvent(getId() == "portScan" ,
groupByFieldsMap.get("src") == $log.fieldsMap.get("src") ,
groupByFieldsMap.get("dst") == $log.fieldsMap.get("dst"))
then
System.out.println("port scan");
System.out.println(drools.getRule().getId());
CorrelatedEvent $ce = new CorrelatedEvent("portScan");
$ce.groupByFieldsMap.put("src", $log.fieldsMap.get("src"));
$ce.groupByFieldsMap.put("dst", $log.fieldsMap.get("dst"));
insert($ce);
HashMap<String,Object> fieldsMap = new HashMap<String,Object>();
fieldsMap.put("src",$log.fieldsMap.get("src"));
fieldsMap.put("dst",$log.fieldsMap.get("dst"));
fieldsMap.put("cu_rule_severity", calcSeverity($log));
fieldsMap.put("markers",$markerSet.toString());
externalEventsHandler.handleEvent(fieldsMap);
end
when I compile it, I am getting the error "Cannot use this in a static
context".
This is because the use of filter(this).
I know that in this example, I can write my conditions inside the fact, but I have more
complicated cases, so I prefer to use a function.
So, how can I use a function with the fact being processed?
Thanks!
Attachments:
- attachment.html (text/html — 8.0 KB)