2009/7/22 Nestor Tarin Burriel <nestabur@gmail.com>

Hi Edson,

Thanks for the fix, but the problem still happens :(

Here my complete .drl file:

package Correlator

global com.s2grupo.triton.global.Context Context

declare Snort
�� @role( event )
�� icmp_code: String
�� tcp_sport: String
�� data: String
�� sig_rev: String
�� tcp_dport: String
�� udp_sport: String
�� hostname: String
�� interface: String
�� sig_priority: String
�� icmp_type: String
�� id: java.lang.Long
�� sig_class_name: String
�� ip_dst: String
�� sig_name: String
�� udp_dport: String
�� ip_src: String
�� event_date: java.util.Date
end

rule "SnortRule"

�� salience 2
�� dialect "mvel"
�� when
�� $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"
�� $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
�� then
�� System.out.println("****************** Snort Alert!!!!" + $s1.getData());

�� retract($s1);
end

rule "SnortRuleRetract"
�� salience 1
�� dialect "mvel"
�� when
�� $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"
�� $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id, this after [0m,5m] $s1) from entry-point "Correlator"
�� then
�� retract($s2);
�� System.out.println(" ********* Deleting Fact From WM");

end

rule "SnortRule0"
�� salience 0
�� dialect "mvel"
�� when
�� $s1 : Snort( this.sig_name != "(portscan) Open Port") from entry-point "Correlator"
�� then
�� System.out.println("********* Snort Alert 0!!" + $s1.getData());
end

As you can see, I'm trying to correlate snort events with drools.

With this scenario, the only rule that is firing is "SnortRule0"

2009/7/21 Edson Tirelli <tirelli@post.com>

�� Your rule is wrong, as you are defining 3 patterns and the second pattern is looking for a fact in the main entry point, not your defined "MyEntryPoint".
�� Fix it doing:

$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after [0m,5m] $s1) from entry-point "MyEntryPoint"
�
�� []s
�� Edson

2009/7/21 nestabur <nestabur@gmail.com>

Hi all,

I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(

The rule is:
===============
rule "RetractOlderFacts"
� � � �dialect "mvel"
� � � �when
� � � � � � � �$s1 : MyModel( name != "aaa") from entry-point "MyEntryPoint"
� � � � � � � �$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1) and MyModel (
this after [0m,5m] $s1) from entry-point "MyEntryPoint"
� � � �then
� � � � � � � �retract($s2);
� � � � � � � �System.out.println(" ********* Retracting from WM");
end
===============

The scenario is:
"After receiving a fact "MyModel" wich name != "aaa", if arrives another
with same ip and different id after a period between 0 and 5 minutes the
rule have to retract the last one and keep the first fact (the older one)"

After receiving hundred and hundred of facts via JMS that may match with the
rule condition, the rule never throws!

is the rule correct?
could the problem be at the rule engine implementation?

Could anyone hel me please?

Thanks in advance,

nestabur
--
View this message in context: http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
Sent from the drools - user mailing list archive at Nabble.com.

_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users