Hi again,<br><br>Here the info from my engine execution:<br><br> KnowledgeBaseConfiguration config = KnowledgeBaseFactory.newKnowledgeBaseConfiguration();<br> config.setOption( EventProcessingOption.STREAM );<br>
<br> KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(config);<br> kbase.addKnowledgePackages(kbuilder.getKnowledgePackages());<br> <br> SessionConfiguration sessionConf = new SessionConfiguration();<br>
sessionConf.setClockType(ClockType.REALTIME_CLOCK);<br> <br> ksession = kbase.newStatefulKnowledgeSession(<br> sessionConf, env);<br><br>An here the inserting method:<br> ksession.getWorkingMemoryEntryPoint("Correlator").insert(fact);<br>
ksession.fireAllRules();<br><br>So I dont understand why my CEP rules never fires ...<br><br>Thanks again,<br><br>nestabur<br><br><div class="gmail_quote">2009/7/22 Nestor Tarin Burriel <span dir="ltr"><<a href="mailto:nestabur@gmail.com">nestabur@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im">Hi Edson,<br><br>Thanks for the fix, but the problem still happens :(<br><br>
Here my complete .drl file:<br><br></div>package Correlator<div class="im"><br>global com.s2grupo.triton.global.Context Context<br><br></div>declare Snort<br> @role( event )<br>
icmp_code: String<br> tcp_sport: String<br> data: String<br> sig_rev: String<br> tcp_dport: String<br> udp_sport: String<br> hostname: String<br> interface: String<br> sig_priority: String<br>
icmp_type: String<br>
id: java.lang.Long<br> sig_class_name: String<br> ip_dst: String<br> sig_name: String<br> udp_dport: String<br> ip_src: String<br> event_date: java.util.Date<br>end<br><br>rule "SnortRule"<div class="im">
<br>
salience 2<br> dialect "mvel"<br> when<br></div> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"<br> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"<br>
then<br> System.out.println("****************** Snort Alert!!!!" + $s1.getData());<div class="im"><br> retract($s1);<br>end<br><br><br>rule "SnortRuleRetract"<br> salience 1<br> dialect "mvel"<br>
when<br></div> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"<br> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, this after [0m,5m] $s1) from entry-point "Correlator"<br>
then<br> retract($s2);<br> System.out.println(" ********* Deleting Fact From WM");<div class="im"><br>end<br><br><br>rule "SnortRule0"<br> salience 0<br> dialect "mvel"<br>
when<br></div>
$s1 : Snort( this.sig_name != "(portscan) Open Port") from entry-point "Correlator"<br> then<br> System.out.println("********* Snort Alert 0!!" + $s1.getData());<br>end<br>
<br>
As you can see, I'm trying to correlate snort events with drools.<br><br>With this scenario, the only rule that is firing is "SnortRule0"<br><br><div class="gmail_quote"><div class="im">2009/7/21 Edson Tirelli <span dir="ltr"><<a href="mailto:tirelli@post.com" target="_blank">tirelli@post.com</a>></span><br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br><div><div></div><div class="h5"> Your rule is wrong, as you are defining 3 patterns and the second pattern is looking for a fact in the main entry point, not your defined "MyEntryPoint".<br>
Fix it doing:<br><br>$s2 : MyModel ( name != "aaa" , id != $<a href="http://s1.id/" target="_blank">s1.id</a>, ip == $s1, this after [0m,5m] $s1) from entry-point "MyEntryPoint"<br>
<br> []s<br> Edson<br><br><div class="gmail_quote">2009/7/21 nestabur <span dir="ltr"><<a href="mailto:nestabur@gmail.com" target="_blank">nestabur@gmail.com</a>></span><div><div></div><div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Hi all,<br>
<br>
I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(<br>
<br>
The rule is:<br>
===============<br>
rule "RetractOlderFacts"<br>
dialect "mvel"<br>
when<br>
$s1 : MyModel( name != "aaa") from entry-point "MyEntryPoint"<br>
$s2 : MyModel ( name != "aaa" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip == $s1) and MyModel (<br>
this after [0m,5m] $s1) from entry-point "MyEntryPoint"<br>
then<br>
retract($s2);<br>
System.out.println(" ********* Retracting from WM");<br>
end<br>
===============<br>
<br>
The scenario is:<br>
"After receiving a fact "MyModel" wich name != "aaa", if arrives another<br>
with same ip and different id after a period between 0 and 5 minutes the<br>
rule have to retract the last one and keep the first fact (the older one)"<br>
<br>
After receiving hundred and hundred of facts via JMS that may match with the<br>
rule condition, the rule never throws!<br>
<br>
is the rule correct?<br>
could the problem be at the rule engine implementation?<br>
<br>
Could anyone hel me please?<br>
<br>
Thanks in advance,<br>
<br>
nestabur<br>
<font color="#888888">--<br>
View this message in context: <a href="http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html" target="_blank">http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html</a><br>
Sent from the drools - user mailing list archive at Nabble.com.<br>
<br>
_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
</font></blockquote></div></div></div><br>
<br>_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org" target="_blank">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
<br></div></div></blockquote></div><br>
</blockquote></div><br>