Thanks Greg,<br><br>As you can see in the code I sent, I have the 2 implementations:<br><br>"SnortRule"<br><div class="im"><br></div> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"<br>
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id/" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"<br><div id=":1f" class="ii gt">
<div class="im"><br>"SnortRuleRetract"<br></div> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"<br> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id/" target="_blank">s1.id</a>, this after [0m,5m] $s1) from entry-point "Correlator"<br>
</div><br>and any of them are thrown<br><br>...<br><br><div class="gmail_quote">2009/7/22 Greg Barton <span dir="ltr"><<a href="mailto:greg_barton@yahoo.com">greg_barton@yahoo.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
Maybe this is a problem of language. Here's what you say the rule should do:<br>
<br>
'After receiving a fact "MyModel" wich name != "aaa", if arrives another<br>
<div class="im">with same ip and different id after a period between 0 and 5 minutes the<br>
</div>rule have to retract the last one and keep the first fact (the older one)'<br>
<br>
Which I would interpret as "Event 1 comes in, then event 2 comes in between 0 and 5 minutes later." Does that sound right?<br>
<br>
And here's the rule that you think fits the requirements:<br>
<div class="im"><br>
rule "SnortRule"<br>
salience 2<br>
dialect "mvel"<br>
when<br>
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator"<br>
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"<br>
then<br>
System.out.println("****************** Snort Alert!!!!" + $s1.getData());<br>
retract($s1);<br>
end<br>
<br>
</div>Check out the docs, though:<br>
<br>
<a href="https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622" target="_blank">https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622</a><br>
<br>
The after operator in this case would check that (5m <= $s2.startTimestamp - $s1.endTimeStamp <= +infinity).<br>
<br>
So the rule actually implements "Event 1 comes in, then event 2 happens at leat 5 minutes later."<br>
<br>
If you use the second argument of after I think it would work:<br>
<br>
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point "Correlator"<br>
<br>
According to the docs this should check that (0m <= $s2.startTimestamp - $s1.endTimeStamp <= 5m).<br>
<br>
You could alternately use "overlaps". Place an @duration(5m) annotation on the Snort declaration and try this condition:<br>
<br>
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $<a href="http://s1.id" target="_blank">s1.id</a>, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point "Correlator"<br>
<div><div></div><div class="h5"><br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
rules-users mailing list<br>
<a href="mailto:rules-users@lists.jboss.org">rules-users@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/rules-users" target="_blank">https://lists.jboss.org/mailman/listinfo/rules-users</a><br>
</div></div></blockquote></div><br>