Re: [rules-users] CEP Rule Help Needed

From: Nestor Tarin Burriel <nestabur(a)gmail.com&gt; Subject: Re: [rules-users] CEP Rule Help Needed To: "Rules Users List" <rules-users(a)lists.jboss.org&gt; Date: Thursday, July 23, 2009, 9:47 AM Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says:  ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did  ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts)      myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan <nash.8103(a)gmail.com&gt; Hi Find attached  working example for CEP rule with the scenario you stated.Here I used Psuedo clock.Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel <nestabur(a)gmail.com&gt; Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule "SnortRuleRetract"     dialect "mvel"     when         $s1 : Snort( sig_name != "(portscan) Open Port")         $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)     then         retract($s2);         System.out.println(" ********* Deleting from WM"); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel <nestabur(a)gmail.com&gt; Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton <greg_barton(a)yahoo.com&gt; Ah, overlooked that second rule.  Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes?  What happens?  i.e. "TimelessSnortRule"        $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"        $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point "Correlator" "TimelessSnortRuleRetract"        $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"        $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) from entry-point "Correlator" --- On Wed, 7/22/09, Nestor Tarin Burriel <nestabur(a)gmail.com&gt; wrote: > From: Nestor Tarin Burriel <nestabur(a)gmail.com&gt; > Subject: Re: [rules-users] CEP Rule Help Needed > To: "Rules Users List" <rules-users(a)lists.jboss.org&gt; > Date: Wednesday, July 22, 2009, 1:47 PM > Thanks Greg, > > As you can see in the code I sent, I have the 2 > implementations: > > "SnortRule" > >         $s1 : Snort( sig_name != > "(portscan) Open Port") from entry-point > "Correlator" > >         $s2 : Snort( sig_name != "(portscan) > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this > after [5m] $s1) from entry-point "Correlator" > > > "SnortRuleRetract" >         $s1 : Snort( sig_name != > "(portscan) Open Port") from entry-point > "Correlator" >         $s2 : Snort ( sig_name != "(portscan) > Open Port" , id != $s1.id, this after [0m,5m] $s1) from > entry-point "Correlator" > > > and any of them are thrown > > ... > > 2009/7/22 Greg Barton <greg_barton(a)yahoo.com&gt; > > > > Maybe this is a problem of language.  Here's what you > say the rule should do: > > > > 'After receiving a fact "MyModel" wich name > != "aaa", if arrives another > > with same ip and different id after a > period between 0 and 5 minutes the > > rule have to retract the last one and keep the first > fact (the older one)' > > > > Which I would interpret as "Event 1 comes in, then > event 2 comes in between 0 and 5 minutes later."  Does > that sound right? > > > > And here's the rule that you think fits the > requirements: > > > > rule "SnortRule" > >     salience 2 > >     dialect "mvel" > >     when > >         $s1 : Snort( sig_name != "(portscan) Open > Port") from entry-point "Correlator" > >         $s2 : Snort( sig_name != "(portscan) Open > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this > after [5m] $s1) from entry-point "Correlator" > >     then > >         System.out.println("****************** > Snort Alert!!!!" + $s1.getData()); > >         retract($s1); > > end > > > > Check out the docs, though: > > > > https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/t... > > > > > The after operator in this case would check that (5m <= > $s2.startTimestamp - $s1.endTimeStamp <= +infinity). > > > > So the rule actually implements "Event 1 comes in, > then event 2 happens at leat 5 minutes later." > > > > If you use the second argument of after I think it would > work: > > > > $s2 : Snort( sig_name != "(portscan) Open Port" , > id != $s1.id, ip_dst == $s1.ip_dst, this > after [0m,5m] $s1) from entry-point "Correlator" > > > > According to the docs this should check that (0m <= > $s2.startTimestamp - $s1.endTimeStamp <= 5m). > > > > You could alternately use "overlaps".  Place an > @duration(5m) annotation on the Snort declaration and try > this condition: > > > > $s2 : Snort( sig_name != "(portscan) Open Port" , > id != $s1.id, ip_dst == $s1.ip_dst, this > overlaps $s1) from entry-point "Correlator" > > > > > > > > > > > > > > _______________________________________________ > > rules-users mailing list > > rules-users(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > -----Inline Attachment Follows----- > > _______________________________________________ > rules-users mailing list > rules-users(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > _______________________________________________ rules-users mailing list rules-users(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users _______________________________________________ rules-users mailing list rules-users(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -- Regards, PriyaKathan _______________________________________________ rules-users mailing list rules-users(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -----Inline Attachment Follows----- _______________________________________________ rules-users mailing list rules-users(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users