Thanks Greg,
As you can see in the code I sent, I have the 2 implementations:
"SnortRule"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
"SnortRuleRetract"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "Correlator"
and any of them are thrown
...
2009/7/22 Greg Barton <greg_bar...@yahoo.com>
>
> Maybe this is a problem of language. Here's what you say the rule should
> do:
>
> 'After receiving a fact "MyModel" wich name != "aaa", if arrives another
> with same ip and different id after a period between 0 and 5 minutes the
> rule have to retract the last one and keep the first fact (the older one)'
>
> Which I would interpret as "Event 1 comes in, then event 2 comes in between
> 0 and 5 minutes later." Does that sound right?
>
> And here's the rule that you think fits the requirements:
>
> rule "SnortRule"
> salience 2
> dialect "mvel"
> when
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
> then
> System.out.println("****************** Snort Alert!!!!" +
> $s1.getData());
> retract($s1);
> end
>
> Check out the docs, though:
>
>
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
>
> The after operator in this case would check that (5m <= $s2.startTimestamp
> - $s1.endTimeStamp <= +infinity).
>
> So the rule actually implements "Event 1 comes in, then event 2 happens at
> leat 5 minutes later."
>
> If you use the second argument of after I think it would work:
>
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst ==
> $s1.ip_dst, this after [0m,5m] $s1) from entry-point "Correlator"
>
> According to the docs this should check that (0m <= $s2.startTimestamp -
> $s1.endTimeStamp <= 5m).
>
> You could alternately use "overlaps". Place an @duration(5m) annotation on
> the Snort declaration and try this condition:
>
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst ==
> $s1.ip_dst, this overlaps $s1) from entry-point "Correlator"
>
>
>
>
>
>
> _______________________________________________
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
