Hi all,

 

I have the a drl similar to the following drl:

 

package com.checkpoint.correlation.impl.drools.package1;

 

import java.util.Date

import java.util.HashMap

import com.checkpoint.correlation.impl.drools.Log

import com.checkpoint.correlation.impl.drools.CorrelatedEvent

 

global com.checkpoint.correlation.server.EventsHandler externalEventsHandler;

 

function boolean filter(Log log) {

                return (log.fieldsMap.get("port")!= null && (!log.fieldsMap.get("product").toString().equals("-1")));

}

 

function String calcSeverity(Log log) {

                return "High";

}

 

declare Log

      @role( event)

end

 

declare CorrelatedEvent

        @role( event)

        @expires( 10s )

end

 

// this rule will create a “Port Scan“ event if none exist for this group-by values

rule "Create Port Scan Event"

dialect "java"   

no-loop               

when

                $log : Log(eval(filter(this)))

                accumulate(Log(eval(filter(this)) , this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $port : fieldsMap.get("port"));

                               $portSet : collectSet($port);

                               $portSet.size > 2 )

                accumulate( CpLog(eval(filter(this)), this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $portSet.contains(fieldsMap.get("port")), $marker : fieldsMap.get("marker"));

                               $markerSet : collectSet($marker))

                not CorrelatedEvent(getId() == "portScan" , groupByFieldsMap.get("src") == $log.fieldsMap.get("src") , groupByFieldsMap.get("dst") == $log.fieldsMap.get("dst"))

then

  System.out.println("port scan");

  System.out.println(drools.getRule().getId());

 

  CorrelatedEvent $ce = new CorrelatedEvent("portScan");

  $ce.groupByFieldsMap.put("src", $log.fieldsMap.get("src"));

  $ce.groupByFieldsMap.put("dst", $log.fieldsMap.get("dst"));

  insert($ce);

 

  HashMap<String,Object> fieldsMap = new HashMap<String,Object>();

  fieldsMap.put("src",$log.fieldsMap.get("src"));

  fieldsMap.put("dst",$log.fieldsMap.get("dst"));

  fieldsMap.put("cu_rule_severity", calcSeverity($log));

  fieldsMap.put("markers",$markerSet.toString());

 

  externalEventsHandler.handleEvent(fieldsMap);

end

 

when I compile it, I am getting the error “Cannot use this in a static context”.

This is because the use of filter(this).

I know that in this example, I can write my conditions inside the fact, but I have more complicated cases, so I prefer to use a function.

 

So, how can I use a function with the fact being processed?

 

Thanks!