[rules-users] Implementation of my use case - what am I doing wrong?

Elran Dvir elrand at checkpoint.com
Tue Sep 17 04:59:13 EDT 2013 

Thanks for the quick response.

I have some more questions:

	1. As I understand it, the timestamp attribute should be long type representing the milliseconds since January 1, 1970, 00:00:00 GMT. Am I right?
	2. As I understand it, the duration attribute  should be in milliseconds. I fixed it accordingly. Am I right?
	3. When I replaced "(this meets $ce || this during $ce || this metby $ce)" with "$ce.startTimestamp <= startTimestamp , endTimestamp <= $ce.endTimestamp"
	    I got the following drools compile exceptions:

		Unable to Analyse Expression $ce.startTimestamp:
		[Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()]
		[Near : {... $ce.startTimestamp ....}]
                 	^
		[Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update']

		Unable to Analyse Expression $ce.startTimestamp <= startTimestamp:
		[Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()]
		[Near : {... $ce.startTimestamp <= startTimesta ....}]
                 	^
		[Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update']

		Unable to Analyse Expression endTimestamp <= $ce.endTimestamp:
		[Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CpLog.endTimestamp()]
		[Near : {... endTimestamp <= $ce.endTimesta ....}]
             		^
		[Line: 61, Column: 28] : [Rule name='Create Port Scan Event - update']

		Unable to Analyse Expression $ce.startTimestamp:
		[Error: unable to resolve method using strict-mode: com.checkpoint.correlation.impl.drools.CorrelatedEvent.startTimestamp()]
		[Near : {... $ce.startTimestamp ....}]

	   Why?
	4. I tested  my working implementation of temporal relation in rule "Create Port Scan Event - update" ("this after $ce.getStartTime() , this before $ce.getEndTime()") .
	    I inserted a connection log and fired the rules every second. I have 25 logs with the same "src" and "dst", but each has different (serial) "port" and "marker".
	    I print the rule fired and the port set of logs triggering it.
	    I got this behavior: for the second and third "rounds" (after 10 seconds and 20 seconds), the first rule process logs already processed by the second rule.

	   Output example:
		rule fired: Create Port Scan Event - update
		portSet: [10, 7, 6, 5, 4, 9, 8, 11, 12]

		rule fired: Create Port Scan Event
		portSet: [13, 11, 12]

	   I understand this behavior, so I changed the order of conditions in the LHS of the first rule ("not CorrelatedEvent..." to be the second):
		$log : CpLog() //get all the logs in the last 5 seconds
                	not CorrelatedEvent(getName() == "portScan" , fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"))
                	accumulate( CpLog( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $port : fieldsMap.get("port"));
                               		$portSet : collectSet($port);
                               		$portSet.size > 2 )
		accumulate( CpLog( this after[0s,5s] $log, fieldsMap.get("src") == $log.fieldsMap.get("src") , fieldsMap.get("dst") == $log.fieldsMap.get("dst"), $marker : fieldsMap.get("marker"));
                               		$markerSet : collectSet($marker))

	   But then I get the following output for the first 4 logs:
		rule fired: Create Port Scan Event
		portSet: []

		rule fired: Create Port Scan Event - update
		portSet: [13, 11, 12]

	   Why is that? Where the first 3 events disappeared? How "portSet" is empty with the condition  $portSet.size > 2? 

Thanks a lot.

-----Original Message-----
From: rules-users-bounces at lists.jboss.org [mailto:rules-users-bounces at lists.jboss.org] On Behalf Of Wolfgang Laun
Sent: Sunday, September 15, 2013 8:08 PM
To: Rules Users List
Subject: Re: [rules-users] Implementation of my use case - what am I doing wrong?

On 15/09/2013, Elran Dvir <elrand at checkpoint.com> wrote:

> my questions:
>
> 1)      If I have only one stream of data , can I omit the use of entry
> point and insert logs to the session ? Or the use of entry points is 
> mandatory in Drools Fusion?

Yes. No. An entry point is just an additional attribute added "on the fly", where you don't have a source identification in the pojo.

>
> 2)       When I tested it with matching data, rule "Create Port Scan Event -
> update" was never fired. When I replaced "(this meets $ce || this 
> during $ce
> || this metby $ce)" with "this after $ce.getStartTime() , this before
> $ce.getEndTime()" everything worked fine.
> Why?

Just take the constraints and replace the temporal operator by its definition in the "Fusion" manual and use a little elementary math:

    A meets  || A during B || A metby B
becomes
   abs( B.startTimestamp - A.endTimestamp ) == 0 ||
   B.startTimestamp < A.startTimestamp && A.endTimestamp < B.endTimestamp || abs( A.startTimestamp - B.endTimestamp ) == 0 becomes
  ...


>
> 3)      I tried to use sliding windows in  rule "Create Port Scan Event" and
> an exception was thrown at runtime. I decided to use "this 
> after[0s,5s] $log" instead. Is it correct?

A sliding window is not the same as the temporal relation of two events. If the rule does what it ought to, I'd say, yes, it is correct.

>
> 4)      Is my basic Implementation correct?

A bit much to ask, don't you think?

-W
_______________________________________________
rules-users mailing list
rules-users at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Email secured by Check Point

More information about the rules-users mailing list