11:42 a.m.
Hi all,
I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
The rule is:
===============
rule "RetractOlderFacts"
dialect "mvel"
when
$s1 : MyModel( name != "aaa") from entry-point "MyEntryPoint"
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1) and MyModel (
this after [0m,5m] $s1) from entry-point "MyEntryPoint"
then
retract($s2);
System.out.println(" ********* Retracting from WM");
end
===============
The scenario is:
"After receiving a fact "MyModel" wich name != "aaa", if arrives
another
with same ip and different id after a period between 0 and 5 minutes the
rule have to retract the last one and keep the first fact (the older one)"
After receiving hundred and hundred of facts via JMS that may match with the
rule condition, the rule never throws!
is the rule correct?
could the problem be at the rule engine implementation?
Could anyone hel me please?
Thanks in advance,
nestabur
--
View this message in context:
http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
Sent from the drools - user mailing list archive at Nabble.com.
2:35 p.m.
Your rule is wrong, as you are defining 3 patterns and the second pattern
is looking for a fact in the main entry point, not your defined
"MyEntryPoint".
Fix it doing:
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after [0m,5m]
$s1) from entry-point "MyEntryPoint"
[]s
Edson
2009/7/21 nestabur <nestabur(a)gmail.com>
Hi all,
I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
The rule is:
===============
rule "RetractOlderFacts"
dialect "mvel"
when
$s1 : MyModel( name != "aaa") from entry-point
"MyEntryPoint"
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
and MyModel (
this after [0m,5m] $s1) from entry-point "MyEntryPoint"
then
retract($s2);
System.out.println(" ********* Retracting from WM");
end
===============
The scenario is:
"After receiving a fact "MyModel" wich name != "aaa", if arrives
another
with same ip and different id after a period between 0 and 5 minutes the
rule have to retract the last one and keep the first fact (the older one)"
After receiving hundred and hundred of facts via JMS that may match with
the
rule condition, the rule never throws!
is the rule correct?
could the problem be at the rule engine implementation?
Could anyone hel me please?
Thanks in advance,
nestabur
--
View this message in context:
http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
Sent from the drools - user mailing list archive at Nabble.com.
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
4:26 a.m.
Hi Edson,
Thanks for the fix, but the problem still happens :(
Here my complete .drl file:
package ArgosCorrelator
global com.s2grupo.triton.global.Context Context
declare MyFact
@role( event )
id: java.lang.Long
ip: String
end
rule "Rule1"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"ArgosCorrelator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point
"ArgosCorrelator"
then
System.out.println("****************** Evento Snort Ejecutado" +
$s1.getData());
retract($s1);
end
rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"ArgosCorrelator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "ArgosCorrelator"
then
retract($s2);
System.out.println(" ********* Evento Snort Eliminado de la WM");
end
rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from
entry-point "ArgosCorrelator"
then
System.out.println("********* Alerta Snort 0!!" + $s1.getData());
end
2009/7/21 Edson Tirelli <tirelli(a)post.com>
Your rule is wrong, as you are defining 3 patterns and the second
pattern is looking for a fact in the main entry point, not your defined
"MyEntryPoint".
Fix it doing:
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
[0m,5m] $s1) from entry-point "MyEntryPoint"
[]s
Edson
2009/7/21 nestabur <nestabur(a)gmail.com>
> Hi all,
>
> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>
> The rule is:
> ===============
> rule "RetractOlderFacts"
> dialect "mvel"
> when
> $s1 : MyModel( name != "aaa") from entry-point
> "MyEntryPoint"
> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
> and MyModel (
> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
> then
> retract($s2);
> System.out.println(" ********* Retracting from WM");
> end
> ===============
>
> The scenario is:
> "After receiving a fact "MyModel" wich name != "aaa", if
arrives another
> with same ip and different id after a period between 0 and 5 minutes the
> rule have to retract the last one and keep the first fact (the older one)"
>
> After receiving hundred and hundred of facts via JMS that may match with
> the
> rule condition, the rule never throws!
>
> is the rule correct?
> could the problem be at the rule engine implementation?
>
> Could anyone hel me please?
>
> Thanks in advance,
>
> nestabur
> --
> View this message in context:
> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
> Sent from the drools - user mailing list archive at Nabble.com.
>
> _______________________________________________
> rules-users mailing list
> rules-users(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
4:30 a.m.
Hi Edson,
Thanks for the fix, but the problem still happens :(
Here my complete .drl file:
package Correlator
global com.s2grupo.triton.global.Context Context
declare Snort
@role( event )
icmp_code: String
tcp_sport: String
data: String
sig_rev: String
tcp_dport: String
udp_sport: String
hostname: String
interface: String
sig_priority: String
icmp_type: String
id: java.lang.Long
sig_class_name: String
ip_dst: String
sig_name: String
udp_dport: String
ip_src: String
event_date: java.util.Date
end
rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
then
System.out.println("****************** Snort Alert!!!!" +
$s1.getData());
retract($s1);
end
rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "Correlator"
then
retract($s2);
System.out.println(" ********* Deleting Fact From WM");
end
rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from
entry-point "Correlator"
then
System.out.println("********* Snort Alert 0!!" + $s1.getData());
end
As you can see, I'm trying to correlate snort events with drools.
With this scenario, the only rule that is firing is "SnortRule0"
2009/7/21 Edson Tirelli <tirelli(a)post.com>
Your rule is wrong, as you are defining 3 patterns and the second
pattern is looking for a fact in the main entry point, not your defined
"MyEntryPoint".
Fix it doing:
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
[0m,5m] $s1) from entry-point "MyEntryPoint"
[]s
Edson
2009/7/21 nestabur <nestabur(a)gmail.com>
> Hi all,
>
> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>
> The rule is:
> ===============
> rule "RetractOlderFacts"
> dialect "mvel"
> when
> $s1 : MyModel( name != "aaa") from entry-point
> "MyEntryPoint"
> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
> and MyModel (
> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
> then
> retract($s2);
> System.out.println(" ********* Retracting from WM");
> end
> ===============
>
> The scenario is:
> "After receiving a fact "MyModel" wich name != "aaa", if
arrives another
> with same ip and different id after a period between 0 and 5 minutes the
> rule have to retract the last one and keep the first fact (the older one)"
>
> After receiving hundred and hundred of facts via JMS that may match with
> the
> rule condition, the rule never throws!
>
> is the rule correct?
> could the problem be at the rule engine implementation?
>
> Could anyone hel me please?
>
> Thanks in advance,
>
> nestabur
> --
> View this message in context:
> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
> Sent from the drools - user mailing list archive at Nabble.com.
>
> _______________________________________________
> rules-users mailing list
> rules-users(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
_______________________________________________
rules-users mailing list
rules-users(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
4:45 a.m.
Hi again,
Here the info from my engine execution:
KnowledgeBaseConfiguration config =
KnowledgeBaseFactory.newKnowledgeBaseConfiguration();
config.setOption( EventProcessingOption.STREAM );
KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(config);
kbase.addKnowledgePackages(kbuilder.getKnowledgePackages());
SessionConfiguration sessionConf = new SessionConfiguration();
sessionConf.setClockType(ClockType.REALTIME_CLOCK);
ksession = kbase.newStatefulKnowledgeSession(
sessionConf, env);
An here the inserting method:
ksession.getWorkingMemoryEntryPoint("Correlator").insert(fact);
ksession.fireAllRules();
So I dont understand why my CEP rules never fires ...
Thanks again,
nestabur
2009/7/22 Nestor Tarin Burriel <nestabur(a)gmail.com>
Hi Edson,
Thanks for the fix, but the problem still happens :(
Here my complete .drl file:
package Correlator
global com.s2grupo.triton.global.Context Context
declare Snort
@role( event )
icmp_code: String
tcp_sport: String
data: String
sig_rev: String
tcp_dport: String
udp_sport: String
hostname: String
interface: String
sig_priority: String
icmp_type: String
id: java.lang.Long
sig_class_name: String
ip_dst: String
sig_name: String
udp_dport: String
ip_src: String
event_date: java.util.Date
end
rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
then
System.out.println("****************** Snort Alert!!!!" +
$s1.getData());
retract($s1);
end
rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "Correlator"
then
retract($s2);
System.out.println(" ********* Deleting Fact From WM");
end
rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from
entry-point "Correlator"
then
System.out.println("********* Snort Alert 0!!" + $s1.getData());
end
As you can see, I'm trying to correlate snort events with drools.
With this scenario, the only rule that is firing is "SnortRule0"
2009/7/21 Edson Tirelli <tirelli(a)post.com>
>
> Your rule is wrong, as you are defining 3 patterns and the second
> pattern is looking for a fact in the main entry point, not your defined
> "MyEntryPoint".
> Fix it doing:
>
> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
> [0m,5m] $s1) from entry-point "MyEntryPoint"
>
> []s
> Edson
>
> 2009/7/21 nestabur <nestabur(a)gmail.com>
>
>
>> Hi all,
>>
>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>>
>> The rule is:
>> ===============
>> rule "RetractOlderFacts"
>> dialect "mvel"
>> when
>> $s1 : MyModel( name != "aaa") from entry-point
>> "MyEntryPoint"
>> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip ==
$s1)
>> and MyModel (
>> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>> then
>> retract($s2);
>> System.out.println(" ********* Retracting from WM");
>> end
>> ===============
>>
>> The scenario is:
>> "After receiving a fact "MyModel" wich name != "aaa", if
arrives another
>> with same ip and different id after a period between 0 and 5 minutes the
>> rule have to retract the last one and keep the first fact (the older
>> one)"
>>
>> After receiving hundred and hundred of facts via JMS that may match with
>> the
>> rule condition, the rule never throws!
>>
>> is the rule correct?
>> could the problem be at the rule engine implementation?
>>
>> Could anyone hel me please?
>>
>> Thanks in advance,
>>
>> nestabur
>> --
>> View this message in context:
>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
>> Sent from the drools - user mailing list archive at Nabble.com.
>>
>> _______________________________________________
>> rules-users mailing list
>> rules-users(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>
>
> _______________________________________________
> rules-users mailing list
> rules-users(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
5636
days inactive
5637
days old
4 comments
3 participants
participants (3)
-
Edson Tirelli -
nestabur -
Nestor Tarin Burriel