2009/7/22 Nestor Tarin Burriel <nestabur@gmail.com>

Hi Edson,

Thanks for the fix, but the problem still happens :(

Here my complete .drl file:

package Correlator

global com.s2grupo.triton.global.Context Context

declare Snort
    @role( event )
    icmp_code: String
    tcp_sport: String
    data: String
    sig_rev: String
    tcp_dport: String
    udp_sport: String
    hostname: String
    interface: String
    sig_priority: String
    icmp_type: String
    id: java.lang.Long
    sig_class_name: String
    ip_dst: String
    sig_name: String
    udp_dport: String
    ip_src: String
    event_date: java.util.Date
end

rule "SnortRule"

    salience 2
    dialect "mvel"
    when
        $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"
        $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
    then
        System.out.println("****************** Snort Alert!!!!" + $s1.getData());

        retract($s1);
end

rule "SnortRuleRetract"
    salience 1
    dialect "mvel"
    when
        $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"
        $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id, this after [0m,5m] $s1) from entry-point "Correlator"
    then
        retract($s2);
        System.out.println(" ********* Deleting Fact From WM");

end

rule "SnortRule0"
    salience 0
    dialect "mvel"
    when
        $s1 : Snort( this.sig_name != "(portscan) Open Port") from entry-point "Correlator"
    then
        System.out.println("********* Snort Alert 0!!" + $s1.getData());
end

As you can see, I'm trying to correlate snort events with drools.

With this scenario, the only rule that is firing is "SnortRule0"

2009/7/21 Edson Tirelli <tirelli@post.com>

   Your rule is wrong, as you are defining 3 patterns and the second pattern is looking for a fact in the main entry point, not your defined "MyEntryPoint".
   Fix it doing:

$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after [0m,5m] $s1) from entry-point "MyEntryPoint"

   []s
   Edson

2009/7/21 nestabur <nestabur@gmail.com>

Hi all,

I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(

The rule is:
===============
rule "RetractOlderFacts"
dialect "mvel"
when
$s1 : MyModel( name != "aaa") from entry-point "MyEntryPoint"
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1) and MyModel (
this after [0m,5m] $s1) from entry-point "MyEntryPoint"
then
retract($s2);
System.out.println(" ********* Retracting from WM");
end
===============

The scenario is:
"After receiving a fact "MyModel" wich name != "aaa", if arrives another
with same ip and different id after a period between 0 and 5 minutes the
rule have to retract the last one and keep the first fact (the older one)"

After receiving hundred and hundred of facts via JMS that may match with the
rule condition, the rule never throws!

is the rule correct?
could the problem be at the rule engine implementation?

Could anyone hel me please?

Thanks in advance,

nestabur
--
View this message in context: http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
Sent from the drools - user mailing list archive at Nabble.com.

_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users