Hi all,
I am trying to identify a port scan event.
The basic fact is connection log. For each combination of src (source IP) and dst (destination IP) , detect a port scan event, if over 60 seconds there were at least 20 connection logs with different service and protocol.
The event will stay closed for 10 minute - no event will be sent during this time for this combination of src and dst. The event will contain the connection logs’ ids (markers).
I tried to implement it using “accumulate” and “over window:time” but it consumes too much memory.
So I am trying to imitate this functionality using several rules and facts.
My drl contains the following lines (among others):
declare CorrelatedEvent
@role( event)
@expires( 600s )
end
declare CandidatesWindow
@role( event)
@expires( 60s )
end
rule "Create Port Scan Event - 1"
enabled true
dialect "java"
no-loop
when
$log : Log()
not CorrelatedEvent(getId() == "portScan" , groupByFieldsMap.get("src") == $log.fieldsMap.get("src") ,groupByFieldsMap.get("dst") == $log.fieldsMap.get("dst"))
$windows : ArrayList()
from collect( CandidatesWindow(getRuleId() == "portScan" , groupByFieldsMap.get("src") == $log.fieldsMap.get("src") , groupByFieldsMap.get("dst") == $log.fieldsMap.get("dst")))
then
String id = $log.fieldsMap.get("port").toString();
System.out.println(new Date().toString()+" windowSize: " + $windows.size());
for (Object windowObj : $windows) {
CandidatesWindow window = (CandidatesWindow) windowObj;
modify ( window ) { addLog($log, id) }
}
CandidatesWindow newWindow = new CandidatesWindow("portScan", true);
newWindow.groupByFieldsMap.put("src", $log.fieldsMap.get("src"));
newWindow.groupByFieldsMap.put("dst", $log.fieldsMap.get("dst"));
newWindow.addLog($log, id);
insert(newWindow);
end
This imitates sliding time windows.
when I tested it, I got the following exception:
Exception executing consequence for rule "Create Port Scan Event - 1" in com.checkpoint.correlation.impl.drools.package1: java.util.ConcurrentModificationException
at org.drools.runtime.rule.impl.DefaultConsequenceExceptionHandler.handleException(DefaultConsequenceExceptionHandler.java:39)
at org.drools.common.DefaultAgenda.fireActivation(DefaultAgenda.java:1297)
at org.drools.common.DefaultAgenda.fireNextItem(DefaultAgenda.java:1221)
at org.drools.common.DefaultAgenda.fireAllRules(DefaultAgenda.java:1456)
at org.drools.common.AbstractWorkingMemory.fireAllRules(AbstractWorkingMemory.java:710)
at org.drools.common.AbstractWorkingMemory.fireAllRules(AbstractWorkingMemory.java:674)
at org.drools.impl.StatefulKnowledgeSessionImpl.fireAllRules(StatefulKnowledgeSessionImpl.java:230)
at com.checkpoint.correlation.impl.drools.DroolsCEPEngineV1.insertEvents(DroolsCEPEngineV1.java:173)
at com.checkpoint.correlation.impl.feeder.JsonFileFeeder.init(JsonFileFeeder.java:68)
at com.checkpoint.correlation.server.CorrelationServer.initFeeder(CorrelationServer.java:63)
at com.checkpoint.correlation.server.CorrelationServer.run(CorrelationServer.java:28)
at com.checkpoint.correlation.server.CorrelationServer.runServer(CorrelationServer.java:101)
at com.checkpoint.correlation.server.CorrelationServer.main(CorrelationServer.java:85)
Caused by: java.util.ConcurrentModificationException
at java.util.ArrayList$Itr.checkForComodification(ArrayList.java:819)
at java.util.ArrayList$Itr.next(ArrayList.java:791)
at com.checkpoint.correlation.impl.drools.package1.Rule_Create_Port_Scan_Event___1_2f94bc67f9064c6e9614982cf9bc8859.defaultConsequence(Rule_Create_Port_Scan_Event___1_2f94bc67f9064c6e9614982cf9bc8859.java:11)
at com.checkpoint.correlation.impl.drools.package1.Rule_Create_Port_Scan_Event___1_2f94bc67f9064c6e9614982cf9bc8859DefaultConsequenceInvokerGenerated.evaluate(Unknown Source)
at com.checkpoint.correlation.impl.drools.package1.Rule_Create_Port_Scan_Event___1_2f94bc67f9064c6e9614982cf9bc8859DefaultConsequenceInvoker.evaluate(Unknown Source)
at org.drools.common.DefaultAgenda.fireActivation(DefaultAgenda.java:1287)
... 11 more
It is caused by modify ( window ) in the for loop.
How can I make it work?
Thanks.