[rules-users] Is my use case suuported in Drools?

Elran Dvir elrand at checkpoint.com
Wed Aug 14 06:42:27 EDT 2013 

Srini,

Thank you very much.

-----Original Message-----
From: rules-users-bounces at lists.jboss.org [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of VGore
Sent: Tuesday, August 13, 2013 2:12 PM
To: rules-users at lists.jboss.org
Subject: Re: [rules-users] Is my use case suuported in Drools?

This sample address bruteforce  attack to capture login failure. 

---------------------------------------------------------------------------------------------------
declare Event
	@role( event )
	@timestamp( eventTime )
	@expires (60s)
end

declare CorrelationEvent
	@role( event )
end

rule "CorrelationLogin Level 1"
dialect "mvel"
no-loop
  when
    $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress :
dipaddress, $type : type == "LOGIN", $result : result =="FAILED") over
window:time(50s) from entry-point EventStream  
     not CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress ==
$dipaddress)
  then
   CorrelationEvent ce = new CorrelationEvent();
   ce.setSipaddress($e1.sipaddress);
   ce.setDipaddress($e1.dipaddress);
   ce.setLevel(1);
   ce.setEventCount(1);
  insert( ce );
end

rule "CorrelationLogin Level 2"
dialect "mvel"
no-loop
  when
    $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress :
dipaddress, $type : type == "LOGIN", $result : result =="FAILED") over
window:time(50s) from entry-point EventStream  
    $ce : CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress == $dipaddress, this.level == 1, $eventCount : this.eventCount < 10)
  then
    $ce.setEventCount($eventCount+1);
    if($ce.getEventCount() == 10) {
    	$ce.setLevel(2);
    }  	
  modify( $ce );
end

rule "CorrelationLogin Level 3"
dialect "mvel"
no-loop
  when
    $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress :
dipaddress, $type : type == "LOGIN", $result : result =="FAILED") over
window:time(50s) from entry-point EventStream  
    $ce : CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress == $dipaddress, this.level == 2, $eventCount : this.eventCount < 40)
  then
    $ce.setEventCount($eventCount+1);
    if($ce.getEventCount() == 40) {
    	$ce.setLevel(3);
    }  	
  modify( $ce );
end
----------------------------------------------------------------------------------------------------



--
View this message in context: http://drools.46999.n3.nabble.com/rules-users-Is-my-use-case-suuported-in-Drools-tp4025445p4025498.html
Sent from the Drools: User forum mailing list archive at Nabble.com.
_______________________________________________
rules-users mailing list
rules-users at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Email secured by Check Point

More information about the rules-users mailing list