Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same.
This is my last try: rule "SnortRuleRetract" dialect "mvel" when $s1 : Snort( sig_name != "(portscan) Open Port") $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) then retract($s2); System.out.println(" ********* Deleting from WM"); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel <nesta...@gmail.com> > Yes, that is the purpose ;) > > I will try ;) > > Thanks 4 your help > > > 2009/7/22 Greg Barton <greg_bar...@yahoo.com> > >> >> Ah, overlooked that second rule. Have you tried the overlap operator? >> >> So, just to clarify, the purpose of the two rules should be: >> >> SnortRule: If two Snort events that are not port scans of an open port on >> the same destination arrive more than 5 minutes apart, delete the earlier >> one. >> >> SnortRuleRetract: If two Snort events that are not port scans of an open >> port on any two destinations arrive within 5 minutes of each other, delete >> the earlier one. >> >> Have you tried removing the temporal operators completely, just for >> testing purposes? What happens? i.e. >> >> "TimelessSnortRule" >> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point >> "Correlator" >> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, >> ip_dst == $s1.ip_dst) from entry-point "Correlator" >> >> "TimelessSnortRuleRetract" >> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point >> "Correlator" >> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) >> from entry-point "Correlator" >> >> >> --- On Wed, 7/22/09, Nestor Tarin Burriel <nesta...@gmail.com> wrote: >> >> > From: Nestor Tarin Burriel <nesta...@gmail.com> >> > Subject: Re: [rules-users] CEP Rule Help Needed >> > To: "Rules Users List" <rules-users@lists.jboss.org> >> > Date: Wednesday, July 22, 2009, 1:47 PM >> > Thanks Greg, >> > >> > As you can see in the code I sent, I have the 2 >> > implementations: >> > >> > "SnortRule" >> > >> > $s1 : Snort( sig_name != >> > "(portscan) Open Port") from entry-point >> > "Correlator" >> > >> > $s2 : Snort( sig_name != "(portscan) >> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this >> > after [5m] $s1) from entry-point "Correlator" >> > >> > >> > "SnortRuleRetract" >> > $s1 : Snort( sig_name != >> > "(portscan) Open Port") from entry-point >> > "Correlator" >> > $s2 : Snort ( sig_name != "(portscan) >> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from >> > entry-point "Correlator" >> > >> > >> > and any of them are thrown >> > >> > ... >> > >> > 2009/7/22 Greg Barton <greg_bar...@yahoo.com> >> > >> > >> > >> > Maybe this is a problem of language. Here's what you >> > say the rule should do: >> > >> > >> > >> > 'After receiving a fact "MyModel" wich name >> > != "aaa", if arrives another >> > >> > with same ip and different id after a >> > period between 0 and 5 minutes the >> > >> > rule have to retract the last one and keep the first >> > fact (the older one)' >> > >> > >> > >> > Which I would interpret as "Event 1 comes in, then >> > event 2 comes in between 0 and 5 minutes later." Does >> > that sound right? >> > >> > >> > >> > And here's the rule that you think fits the >> > requirements: >> > >> > >> > >> > rule "SnortRule" >> > >> > salience 2 >> > >> > dialect "mvel" >> > >> > when >> > >> > $s1 : Snort( sig_name != "(portscan) Open >> > Port") from entry-point "Correlator" >> > >> > $s2 : Snort( sig_name != "(portscan) Open >> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this >> > after [5m] $s1) from entry-point "Correlator" >> > >> > then >> > >> > System.out.println("****************** >> > Snort Alert!!!!" + $s1.getData()); >> > >> > retract($s1); >> > >> > end >> > >> > >> > >> > Check out the docs, though: >> > >> > >> > >> > >> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 >> > >> > >> > >> > >> > The after operator in this case would check that (5m <= >> > $s2.startTimestamp - $s1.endTimeStamp <= +infinity). >> > >> > >> > >> > So the rule actually implements "Event 1 comes in, >> > then event 2 happens at leat 5 minutes later." >> > >> > >> > >> > If you use the second argument of after I think it would >> > work: >> > >> > >> > >> > $s2 : Snort( sig_name != "(portscan) Open Port" , >> > id != $s1.id, ip_dst == $s1.ip_dst, this >> > after [0m,5m] $s1) from entry-point "Correlator" >> > >> > >> > >> > According to the docs this should check that (0m <= >> > $s2.startTimestamp - $s1.endTimeStamp <= 5m). >> > >> > >> > >> > You could alternately use "overlaps". Place an >> > @duration(5m) annotation on the Snort declaration and try >> > this condition: >> > >> > >> > >> > $s2 : Snort( sig_name != "(portscan) Open Port" , >> > id != $s1.id, ip_dst == $s1.ip_dst, this >> > overlaps $s1) from entry-point "Correlator" >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > >> > rules-users mailing list >> > >> > rules-users@lists.jboss.org >> > >> > https://lists.jboss.org/mailman/listinfo/rules-users >> > >> > >> > >> > >> > -----Inline Attachment Follows----- >> > >> > _______________________________________________ >> > rules-users mailing list >> > rules-users@lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/rules-users >> > >> >> >> >> >> _______________________________________________ >> rules-users mailing list >> rules-users@lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/rules-users >> > >
_______________________________________________ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users