Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says:
ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan <nash.8...@gmail.com> > Hi > > Find attached working example for CEP rule with the scenario you stated. > Here I used Psuedo clock. > Hope this would help you to understand better. > > Regards, > Priya > > > 2009/7/23 Nestor Tarin Burriel <nesta...@gmail.com> > >> Hi again Greg, >> >> I've tried your suggestion and it seems like the facts that is the rule >> checking are the same. >> >> This is my last try: >> >> rule "SnortRuleRetract" >> dialect "mvel" >> when >> $s1 : Snort( sig_name != "(portscan) Open Port") >> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) >> then >> retract($s2); >> System.out.println(" ********* Deleting from WM"); >> end >> >> And is never fired ... >> >> There are no more rules in the package, this is the only one ... so I >> don't understand anything ... could be the error in the engine? I dont >> retract any fact ... as you can see in my code ... >> >> NEStor >> >> 2009/7/23 Nestor Tarin Burriel <nesta...@gmail.com> >> >> Yes, that is the purpose ;) >>> >>> I will try ;) >>> >>> Thanks 4 your help >>> >>> >>> 2009/7/22 Greg Barton <greg_bar...@yahoo.com> >>> >>>> >>>> Ah, overlooked that second rule. Have you tried the overlap operator? >>>> >>>> So, just to clarify, the purpose of the two rules should be: >>>> >>>> SnortRule: If two Snort events that are not port scans of an open port >>>> on the same destination arrive more than 5 minutes apart, delete the >>>> earlier >>>> one. >>>> >>>> SnortRuleRetract: If two Snort events that are not port scans of an open >>>> port on any two destinations arrive within 5 minutes of each other, delete >>>> the earlier one. >>>> >>>> Have you tried removing the temporal operators completely, just for >>>> testing purposes? What happens? i.e. >>>> >>>> "TimelessSnortRule" >>>> $s1 : Snort( sig_name != "(portscan) Open Port") from >>>> entry-point "Correlator" >>>> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, >>>> ip_dst == $s1.ip_dst) from entry-point "Correlator" >>>> >>>> "TimelessSnortRuleRetract" >>>> $s1 : Snort( sig_name != "(portscan) Open Port") from >>>> entry-point "Correlator" >>>> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) >>>> from entry-point "Correlator" >>>> >>>> >>>> --- On Wed, 7/22/09, Nestor Tarin Burriel <nesta...@gmail.com> wrote: >>>> >>>> > From: Nestor Tarin Burriel <nesta...@gmail.com> >>>> > Subject: Re: [rules-users] CEP Rule Help Needed >>>> > To: "Rules Users List" <rules-users@lists.jboss.org> >>>> > Date: Wednesday, July 22, 2009, 1:47 PM >>>> > Thanks Greg, >>>> > >>>> > As you can see in the code I sent, I have the 2 >>>> > implementations: >>>> > >>>> > "SnortRule" >>>> > >>>> > $s1 : Snort( sig_name != >>>> > "(portscan) Open Port") from entry-point >>>> > "Correlator" >>>> > >>>> > $s2 : Snort( sig_name != "(portscan) >>>> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this >>>> > after [5m] $s1) from entry-point "Correlator" >>>> > >>>> > >>>> > "SnortRuleRetract" >>>> > $s1 : Snort( sig_name != >>>> > "(portscan) Open Port") from entry-point >>>> > "Correlator" >>>> > $s2 : Snort ( sig_name != "(portscan) >>>> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from >>>> > entry-point "Correlator" >>>> > >>>> > >>>> > and any of them are thrown >>>> > >>>> > ... >>>> > >>>> > 2009/7/22 Greg Barton <greg_bar...@yahoo.com> >>>> > >>>> > >>>> > >>>> > Maybe this is a problem of language. Here's what you >>>> > say the rule should do: >>>> > >>>> > >>>> > >>>> > 'After receiving a fact "MyModel" wich name >>>> > != "aaa", if arrives another >>>> > >>>> > with same ip and different id after a >>>> > period between 0 and 5 minutes the >>>> > >>>> > rule have to retract the last one and keep the first >>>> > fact (the older one)' >>>> > >>>> > >>>> > >>>> > Which I would interpret as "Event 1 comes in, then >>>> > event 2 comes in between 0 and 5 minutes later." Does >>>> > that sound right? >>>> > >>>> > >>>> > >>>> > And here's the rule that you think fits the >>>> > requirements: >>>> > >>>> > >>>> > >>>> > rule "SnortRule" >>>> > >>>> > salience 2 >>>> > >>>> > dialect "mvel" >>>> > >>>> > when >>>> > >>>> > $s1 : Snort( sig_name != "(portscan) Open >>>> > Port") from entry-point "Correlator" >>>> > >>>> > $s2 : Snort( sig_name != "(portscan) Open >>>> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this >>>> > after [5m] $s1) from entry-point "Correlator" >>>> > >>>> > then >>>> > >>>> > System.out.println("****************** >>>> > Snort Alert!!!!" + $s1.getData()); >>>> > >>>> > retract($s1); >>>> > >>>> > end >>>> > >>>> > >>>> > >>>> > Check out the docs, though: >>>> > >>>> > >>>> > >>>> > >>>> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 >>>> > >>>> > >>>> > >>>> > >>>> > The after operator in this case would check that (5m <= >>>> > $s2.startTimestamp - $s1.endTimeStamp <= +infinity). >>>> > >>>> > >>>> > >>>> > So the rule actually implements "Event 1 comes in, >>>> > then event 2 happens at leat 5 minutes later." >>>> > >>>> > >>>> > >>>> > If you use the second argument of after I think it would >>>> > work: >>>> > >>>> > >>>> > >>>> > $s2 : Snort( sig_name != "(portscan) Open Port" , >>>> > id != $s1.id, ip_dst == $s1.ip_dst, this >>>> > after [0m,5m] $s1) from entry-point "Correlator" >>>> > >>>> > >>>> > >>>> > According to the docs this should check that (0m <= >>>> > $s2.startTimestamp - $s1.endTimeStamp <= 5m). >>>> > >>>> > >>>> > >>>> > You could alternately use "overlaps". Place an >>>> > @duration(5m) annotation on the Snort declaration and try >>>> > this condition: >>>> > >>>> > >>>> > >>>> > $s2 : Snort( sig_name != "(portscan) Open Port" , >>>> > id != $s1.id, ip_dst == $s1.ip_dst, this >>>> > overlaps $s1) from entry-point "Correlator" >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > >>>> > rules-users mailing list >>>> > >>>> > rules-users@lists.jboss.org >>>> > >>>> > https://lists.jboss.org/mailman/listinfo/rules-users >>>> > >>>> > >>>> > >>>> > >>>> > -----Inline Attachment Follows----- >>>> > >>>> > _______________________________________________ >>>> > rules-users mailing list >>>> > rules-users@lists.jboss.org >>>> > https://lists.jboss.org/mailman/listinfo/rules-users >>>> > >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> rules-users mailing list >>>> rules-users@lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/rules-users >>>> >>> >>> >> >> _______________________________________________ >> rules-users mailing list >> rules-users@lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/rules-users >> >> > > > -- > Regards, > PriyaKathan > > _______________________________________________ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > >
_______________________________________________ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users