[rules-users] using eval(function(this))) in rule LHS

Elran Dvir elrand at checkpoint.com
Wed Oct 16 03:52:23 EDT 2013 

Hi all,

I have the a drl similar to the following drl:

package com.checkpoint.correlation.impl.drools.package1;

import java.util.Date
import java.util.HashMap
import com.checkpoint.correlation.impl.drools.Log
import com.checkpoint.correlation.impl.drools.CorrelatedEvent

global com.checkpoint.correlation.server.EventsHandler externalEventsHandler;

function boolean filter(Log log) {
                return (log.fieldsMap.get("port")!= null && (!log.fieldsMap.get("product").toString().equals("-1")));
}

function String calcSeverity(Log log) {
                return "High";
}

declare Log
      @role( event)
end

declare CorrelatedEvent
        @role( event)
        @expires( 10s )
end

// this rule will create a "Port Scan" event if none exist for this group-by values
rule "Create Port Scan Event"
dialect "java"
no-loop
when
                $log : Log(eval(filter(this)))
                accumulate(Log(eval(filter(this)) , this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $port : fieldsMap.get("port"));
                               $portSet : collectSet($port);
                               $portSet.size > 2 )
                accumulate( CpLog(eval(filter(this)), this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $portSet.contains(fieldsMap.get("port")), $marker : fieldsMap.get("marker"));
                               $markerSet : collectSet($marker))
                not CorrelatedEvent(getId() == "portScan" , groupByFieldsMap.get("src") == $log.fieldsMap.get("src") , groupByFieldsMap.get("dst") == $log.fieldsMap.get("dst"))
then
  System.out.println("port scan");
  System.out.println(drools.getRule().getId());

  CorrelatedEvent $ce = new CorrelatedEvent("portScan");
  $ce.groupByFieldsMap.put("src", $log.fieldsMap.get("src"));
  $ce.groupByFieldsMap.put("dst", $log.fieldsMap.get("dst"));
  insert($ce);

  HashMap<String,Object> fieldsMap = new HashMap<String,Object>();
  fieldsMap.put("src",$log.fieldsMap.get("src"));
  fieldsMap.put("dst",$log.fieldsMap.get("dst"));
  fieldsMap.put("cu_rule_severity", calcSeverity($log));
  fieldsMap.put("markers",$markerSet.toString());

  externalEventsHandler.handleEvent(fieldsMap);
end

when I compile it, I am getting the error "Cannot use this in a static context".
This is because the use of filter(this).
I know that in this example, I can write my conditions inside the fact, but I have more complicated cases, so I prefer to use a function.

So, how can I use a function with the fact being processed?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/rules-users/attachments/20131016/870199bb/attachment.html

More information about the rules-users mailing list