[rules-users] CEP Rule Help Needed

Nestor Tarin Burriel nestabur at gmail.com
Wed Jul 22 05:45:04 EDT 2009 

Hi again,

Here the info from my engine execution:

        KnowledgeBaseConfiguration config =
KnowledgeBaseFactory.newKnowledgeBaseConfiguration();
        config.setOption( EventProcessingOption.STREAM );

        KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(config);
        kbase.addKnowledgePackages(kbuilder.getKnowledgePackages());

        SessionConfiguration sessionConf = new SessionConfiguration();
        sessionConf.setClockType(ClockType.REALTIME_CLOCK);

        ksession = kbase.newStatefulKnowledgeSession(
                sessionConf, env);

An here the inserting method:
       ksession.getWorkingMemoryEntryPoint("Correlator").insert(fact);
       ksession.fireAllRules();

So I dont understand why my CEP rules never fires ...

Thanks again,

nestabur

2009/7/22 Nestor Tarin Burriel <nestabur at gmail.com>

> Hi Edson,
>
> Thanks for the fix, but the problem still happens :(
>
> Here my complete .drl file:
>
> package Correlator
> global com.s2grupo.triton.global.Context Context
>
> declare Snort
>     @role( event )
>     icmp_code: String
>     tcp_sport: String
>     data: String
>     sig_rev: String
>     tcp_dport: String
>     udp_sport: String
>     hostname: String
>     interface: String
>     sig_priority: String
>     icmp_type: String
>     id: java.lang.Long
>     sig_class_name: String
>     ip_dst: String
>     sig_name: String
>     udp_dport: String
>     ip_src: String
>     event_date: java.util.Date
> end
>
> rule "SnortRule"
>     salience 2
>     dialect "mvel"
>     when
>         $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
>         $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
>     then
>         System.out.println("****************** Snort Alert!!!!" +
> $s1.getData());
>         retract($s1);
> end
>
>
> rule "SnortRuleRetract"
>     salience 1
>     dialect "mvel"
>     when
>         $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
>         $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
> this after [0m,5m] $s1) from entry-point "Correlator"
>     then
>         retract($s2);
>         System.out.println(" ********* Deleting Fact From WM");
> end
>
>
> rule "SnortRule0"
>     salience 0
>     dialect "mvel"
>     when
>         $s1 : Snort( this.sig_name != "(portscan) Open Port") from
> entry-point "Correlator"
>     then
>         System.out.println("********* Snort Alert 0!!" + $s1.getData());
> end
>
> As you can see, I'm trying to correlate snort events with drools.
>
> With this scenario, the only rule that is firing is "SnortRule0"
>
> 2009/7/21 Edson Tirelli <tirelli at post.com>
>
>>
>>    Your rule is wrong, as you are defining 3 patterns and the second
>> pattern is looking for a fact in the main entry point, not your defined
>> "MyEntryPoint".
>>    Fix it doing:
>>
>> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
>> [0m,5m] $s1) from entry-point "MyEntryPoint"
>>
>>    []s
>>    Edson
>>
>> 2009/7/21 nestabur <nestabur at gmail.com>
>>
>>
>>> Hi all,
>>>
>>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>>>
>>> The rule is:
>>> ===============
>>> rule "RetractOlderFacts"
>>>        dialect "mvel"
>>>        when
>>>                $s1 : MyModel( name != "aaa") from entry-point
>>> "MyEntryPoint"
>>>                $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
>>> and MyModel (
>>> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>>>        then
>>>                retract($s2);
>>>                System.out.println(" ********* Retracting from WM");
>>> end
>>> ===============
>>>
>>> The scenario is:
>>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another
>>> with same ip and different id after a period between 0 and 5 minutes the
>>> rule have to retract the last one and keep the first fact (the older
>>> one)"
>>>
>>> After receiving hundred and hundred of facts via JMS that may match with
>>> the
>>> rule condition, the rule never throws!
>>>
>>> is the rule correct?
>>> could the problem be at the rule engine implementation?
>>>
>>> Could anyone hel me please?
>>>
>>> Thanks in advance,
>>>
>>> nestabur
>>> --
>>> View this message in context:
>>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
>>> Sent from the drools - user mailing list archive at Nabble.com.
>>>
>>> _______________________________________________
>>> rules-users mailing list
>>> rules-users at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/rules-users
>>>
>>
>>
>> _______________________________________________
>> rules-users mailing list
>> rules-users at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20090722/779bf766/attachment.html

More information about the rules-users mailing list