Re: [rules-users] Implementation of my use case - what am I doing wrong?

Thanks for the quick response. I have some more questions: 1. As I understand it, the timestamp attribute should be long type representing the milliseconds since January 1, 1970, 00:00:00 GMT. Am I right? 2. As I understand it, the duration attribute should be in milliseconds. I fixed it accordingly. Am I right? 3. When I replaced "(this meets $ce || this during $ce || this metby $ce)" with "$ce.startTimestamp <= startTimestamp , endTimestamp <= $ce.endTimestamp" I got the following drools compile exceptions: Unable to Analyse Expression $ce.startTimestamp: [Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()] [Near : {... $ce.startTimestamp ....}] ^ [Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update'] Unable to Analyse Expression $ce.startTimestamp <= startTimestamp: [Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()] [Near : {... $ce.startTimestamp <= startTimesta ....}] ^ [Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update'] Unable to Analyse Expression endTimestamp <= $ce.endTimestamp: [Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CpLog.endTimestamp()] [Near : {... endTimestamp <= $ce.endTimesta ....}] ^ [Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update'] Unable to Analyse Expression $ce.startTimestamp: [Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()] [Near : {... $ce.startTimestamp ....}] Why? 4. I tested my working implementation of temporal relation in rule "Create Port Scan Event - update" ("this after $ce.getStartTime() , this before $ce.getEndTime()") . I inserted a connection log and fired the rules every second. I have 25 logs with the same "src" and "dst", but each has different (serial) "port" and "marker". I print the rule fired and the port set of logs triggering it. I got this behavior: for the second and third "rounds" (after 10 seconds and 20 seconds), the first rule process logs already processed by the second rule. Output example: rule fired: Create Port Scan Event - update portSet: [10, 7, 6, 5, 4, 9, 8, 11, 12] rule fired: Create Port Scan Event portSet: [13, 11, 12] I understand this behavior, so I changed the order of conditions in the LHS of the first rule ("not CorrelatedEvent..." to be the second): $log : CpLog() //get all the logs in the last 5 seconds not CorrelatedEvent(getName() == "portScan" , fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst")) accumulate( CpLog( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $port : fieldsMap.get("port")); $portSet : collectSet($port); $portSet.size > 2 ) accumulate( CpLog( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $marker : fieldsMap.get("marker")); $markerSet : collectSet($marker)) But then I get the following output for the first 4 logs: rule fired: Create Port Scan Event portSet: [] rule fired: Create Port Scan Event - update portSet: [13, 11, 12] Why is that? Where the first 3 events disappeared? How "portSet" is empty with the condition $portSet.size > 2? Thanks a lot. -----Original Message----- From: rules-users-bounces(a)lists.jboss.org [mailto:rules-users-bounces@lists.jboss.org] On Behalf Of Wolfgang Laun Sent: Sunday, September 15, 2013 8:08 PM To: Rules Users List Subject: Re: [rules-users] Implementation of my use case - what am I doing wrong? On 15/09/2013, Elran Dvir <elrand(a)checkpoint.com&gt; wrote: Yes. No. An entry point is just an additional attribute added "on the fly", where you don't have a source identification in the pojo. Just take the constraints and replace the temporal operator by its definition in the "Fusion" manual and use a little elementary math: A meets || A during B || A metby B becomes abs( B.startTimestamp - A.endTimestamp ) == 0 || B.startTimestamp < A.startTimestamp && A.endTimestamp < B.endTimestamp || abs( A.startTimestamp - B.endTimestamp ) == 0 becomes ... A sliding window is not the same as the temporal relation of two events. If the rule does what it ought to, I'd say, yes, it is correct. A bit much to ask, don't you think? -W _______________________________________________ rules-users mailing list rules-users(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users Email secured by Check Point