Hi again Greg,
I've tried your suggestion and it seems like the facts that is the rule
checking are the same.
This is my last try:
rule "SnortRuleRetract"
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port")
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
then
retract($s2);
System.out.println(" ********* Deleting from WM");
end
And is never fired ...
There are no more rules in the package, this is the only one ... so I don't
understand anything ... could be the error in the engine? I dont retract any
fact ... as you can see in my code ...
NEStor
2009/7/23 Nestor Tarin Burriel <nesta...@gmail.com>
> Yes, that is the purpose ;)
>
> I will try ;)
>
> Thanks 4 your help
>
>
> 2009/7/22 Greg Barton <greg_bar...@yahoo.com>
>
>>
>> Ah, overlooked that second rule. Have you tried the overlap operator?
>>
>> So, just to clarify, the purpose of the two rules should be:
>>
>> SnortRule: If two Snort events that are not port scans of an open port on
>> the same destination arrive more than 5 minutes apart, delete the earlier
>> one.
>>
>> SnortRuleRetract: If two Snort events that are not port scans of an open
>> port on any two destinations arrive within 5 minutes of each other, delete
>> the earlier one.
>>
>> Have you tried removing the temporal operators completely, just for
>> testing purposes? What happens? i.e.
>>
>> "TimelessSnortRule"
>> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
>> "Correlator"
>> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
>> ip_dst == $s1.ip_dst) from entry-point "Correlator"
>>
>> "TimelessSnortRuleRetract"
>> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
>> "Correlator"
>> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
>> from entry-point "Correlator"
>>
>>
>> --- On Wed, 7/22/09, Nestor Tarin Burriel <nesta...@gmail.com> wrote:
>>
>> > From: Nestor Tarin Burriel <nesta...@gmail.com>
>> > Subject: Re: [rules-users] CEP Rule Help Needed
>> > To: "Rules Users List" <rules-users@lists.jboss.org>
>> > Date: Wednesday, July 22, 2009, 1:47 PM
>> > Thanks Greg,
>> >
>> > As you can see in the code I sent, I have the 2
>> > implementations:
>> >
>> > "SnortRule"
>> >
>> > $s1 : Snort( sig_name !=
>> > "(portscan) Open Port") from entry-point
>> > "Correlator"
>> >
>> > $s2 : Snort( sig_name != "(portscan)
>> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
>> > after [5m] $s1) from entry-point "Correlator"
>> >
>> >
>> > "SnortRuleRetract"
>> > $s1 : Snort( sig_name !=
>> > "(portscan) Open Port") from entry-point
>> > "Correlator"
>> > $s2 : Snort ( sig_name != "(portscan)
>> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from
>> > entry-point "Correlator"
>> >
>> >
>> > and any of them are thrown
>> >
>> > ...
>> >
>> > 2009/7/22 Greg Barton <greg_bar...@yahoo.com>
>> >
>> >
>> >
>> > Maybe this is a problem of language. Here's what you
>> > say the rule should do:
>> >
>> >
>> >
>> > 'After receiving a fact "MyModel" wich name
>> > != "aaa", if arrives another
>> >
>> > with same ip and different id after a
>> > period between 0 and 5 minutes the
>> >
>> > rule have to retract the last one and keep the first
>> > fact (the older one)'
>> >
>> >
>> >
>> > Which I would interpret as "Event 1 comes in, then
>> > event 2 comes in between 0 and 5 minutes later." Does
>> > that sound right?
>> >
>> >
>> >
>> > And here's the rule that you think fits the
>> > requirements:
>> >
>> >
>> >
>> > rule "SnortRule"
>> >
>> > salience 2
>> >
>> > dialect "mvel"
>> >
>> > when
>> >
>> > $s1 : Snort( sig_name != "(portscan) Open
>> > Port") from entry-point "Correlator"
>> >
>> > $s2 : Snort( sig_name != "(portscan) Open
>> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
>> > after [5m] $s1) from entry-point "Correlator"
>> >
>> > then
>> >
>> > System.out.println("******************
>> > Snort Alert!!!!" + $s1.getData());
>> >
>> > retract($s1);
>> >
>> > end
>> >
>> >
>> >
>> > Check out the docs, though:
>> >
>> >
>> >
>> >
>> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
>> >
>> >
>> >
>> >
>> > The after operator in this case would check that (5m <=
>> > $s2.startTimestamp - $s1.endTimeStamp <= +infinity).
>> >
>> >
>> >
>> > So the rule actually implements "Event 1 comes in,
>> > then event 2 happens at leat 5 minutes later."
>> >
>> >
>> >
>> > If you use the second argument of after I think it would
>> > work:
>> >
>> >
>> >
>> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
>> > id != $s1.id, ip_dst == $s1.ip_dst, this
>> > after [0m,5m] $s1) from entry-point "Correlator"
>> >
>> >
>> >
>> > According to the docs this should check that (0m <=
>> > $s2.startTimestamp - $s1.endTimeStamp <= 5m).
>> >
>> >
>> >
>> > You could alternately use "overlaps". Place an
>> > @duration(5m) annotation on the Snort declaration and try
>> > this condition:
>> >
>> >
>> >
>> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
>> > id != $s1.id, ip_dst == $s1.ip_dst, this
>> > overlaps $s1) from entry-point "Correlator"
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> >
>> > rules-users mailing list
>> >
>> > rules-users@lists.jboss.org
>> >
>> > https://lists.jboss.org/mailman/listinfo/rules-users
>> >
>> >
>> >
>> >
>> > -----Inline Attachment Follows-----
>> >
>> > _______________________________________________
>> > rules-users mailing list
>> > rules-users@lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/rules-users
>> >
>>
>>
>>
>>
>> _______________________________________________
>> rules-users mailing list
>> rules-users@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>
>
_______________________________________________
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
