Thanks Greg, As you can see in the code I sent, I have the 2 implementations:
"SnortRule" $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator" $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator" "SnortRuleRetract" $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator" $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id, this after [0m,5m] $s1) from entry-point "Correlator" and any of them are thrown ... 2009/7/22 Greg Barton <greg_bar...@yahoo.com> > > Maybe this is a problem of language. Here's what you say the rule should > do: > > 'After receiving a fact "MyModel" wich name != "aaa", if arrives another > with same ip and different id after a period between 0 and 5 minutes the > rule have to retract the last one and keep the first fact (the older one)' > > Which I would interpret as "Event 1 comes in, then event 2 comes in between > 0 and 5 minutes later." Does that sound right? > > And here's the rule that you think fits the requirements: > > rule "SnortRule" > salience 2 > dialect "mvel" > when > $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point > "Correlator" > $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, > ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator" > then > System.out.println("****************** Snort Alert!!!!" + > $s1.getData()); > retract($s1); > end > > Check out the docs, though: > > > https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 > > The after operator in this case would check that (5m <= $s2.startTimestamp > - $s1.endTimeStamp <= +infinity). > > So the rule actually implements "Event 1 comes in, then event 2 happens at > leat 5 minutes later." > > If you use the second argument of after I think it would work: > > $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == > $s1.ip_dst, this after [0m,5m] $s1) from entry-point "Correlator" > > According to the docs this should check that (0m <= $s2.startTimestamp - > $s1.endTimeStamp <= 5m). > > You could alternately use "overlaps". Place an @duration(5m) annotation on > the Snort declaration and try this condition: > > $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == > $s1.ip_dst, this overlaps $s1) from entry-point "Correlator" > > > > > > > _______________________________________________ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users >
_______________________________________________ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users