Hi all again, At the end I have my rules firing as expected :)
I had to add the expires() attribute at the model, otherwise my facts were immediatly retracted by the engine. Thanks to all ;) NEStor 2009/7/23 Nestor Tarin Burriel <nesta...@gmail.com> > In my case yes... > > 2009/7/23 Greg Barton <greg_bar...@yahoo.com> > > >> So do you mean this didn't work: >> >> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); >> >> for (Fact a : Facts) >> ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a); >> >> ...but this did? >> >> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); >> >> for (Fact a : Facts) >> myWorkingMemoryEP.insert(a); >> >> >> --- On Thu, 7/23/09, Nestor Tarin Burriel <nesta...@gmail.com> wrote: >> >> > From: Nestor Tarin Burriel <nesta...@gmail.com> >> > Subject: Re: [rules-users] CEP Rule Help Needed >> > To: "Rules Users List" <rules-users@lists.jboss.org> >> > Date: Thursday, July 23, 2009, 9:47 AM >> > Finally I've solved my problem. It >> > was in the engine: >> > >> > Looking the doc, for inserting a new fact into a stream of >> > the working memory says: >> > >> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(); >> > >> > >> > Which is perfect but not for my enviroment ;), I was >> > inserting the events in differents WM cause in each one I >> > did >> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact); >> > so I solved it doing: >> > >> > >> > myWorkingMemoryEP = >> > ksession.getWorkingMemoryEntryPoint(correlatorName); >> > >> > for (Fact a : Facts) >> > myWorkingMemoryEP.insert(a); >> > >> > I dont know if this is the correct use of EntryPoints bu it >> > works! >> > >> > >> > Thanks to everybody especially Greg and Priya :) >> > >> > 2009/7/23 PriyaKathan <nash.8...@gmail.com> >> > >> > Hi >> > >> > Find attached working example for CEP rule with the >> > scenario you stated.Here I used Psuedo >> > clock.Hope this would help you to understand >> > better. >> > Regards, >> > >> > Priya >> > >> > 2009/7/23 Nestor Tarin Burriel >> > <nesta...@gmail.com> >> > >> > >> > Hi again Greg, >> > >> > I've tried your suggestion and it seems like the facts >> > that is the rule checking are the same. >> > >> > This is my last try: >> > >> > rule "SnortRuleRetract" >> > dialect "mvel" >> > >> > >> > >> > when >> > $s1 : Snort( sig_name != "(portscan) >> > Open Port") >> > $s2 : Snort ( sig_name != >> > "(portscan) Open Port" , id != $s1.id) >> > then >> > >> > >> > retract($s2); >> > >> > System.out.println(" ********* Deleting >> > from WM"); >> > end >> > >> > And is never fired ... >> > >> > There are no more rules in the package, this is the only >> > one ... so I don't understand anything ... could be the >> > error in the engine? I dont retract any fact ... as you can >> > see in my code ... >> > >> > >> > >> > >> > NEStor >> > >> > 2009/7/23 Nestor Tarin Burriel >> > <nesta...@gmail.com> >> > >> > >> > >> > Yes, that is the purpose ;) >> > >> > I will try ;) >> > >> > Thanks 4 your help >> > >> > 2009/7/22 Greg Barton <greg_bar...@yahoo.com> >> > >> > >> > >> > >> > >> > >> > Ah, overlooked that second rule. Have you tried the >> > overlap operator? >> > >> > >> > >> > So, just to clarify, the purpose of the two rules should >> > be: >> > >> > >> > >> > SnortRule: If two Snort events that are not port scans of >> > an open port on the same destination arrive more than 5 >> > minutes apart, delete the earlier one. >> > >> > >> > >> > SnortRuleRetract: If two Snort events that are not port >> > scans of an open port on any two destinations arrive within >> > 5 minutes of each other, delete the earlier one. >> > >> > >> > >> > Have you tried removing the temporal operators completely, >> > just for testing purposes? What happens? i.e. >> > >> > >> > >> > "TimelessSnortRule" >> > >> > $s1 : Snort( sig_name != "(portscan) >> > Open Port") from entry-point "Correlator" >> > >> > $s2 : Snort( sig_name != "(portscan) >> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from >> > entry-point "Correlator" >> > >> > >> > >> > "TimelessSnortRuleRetract" >> > >> > $s1 : Snort( sig_name != "(portscan) >> > Open Port") from entry-point "Correlator" >> > >> > $s2 : Snort ( sig_name != >> > "(portscan) Open Port" , id != $s1.id) from >> > entry-point "Correlator" >> > >> > >> > >> > >> > >> > --- On Wed, 7/22/09, Nestor Tarin Burriel <nesta...@gmail.com> >> > wrote: >> > >> > >> > >> > > From: Nestor Tarin Burriel <nesta...@gmail.com> >> > >> > > Subject: Re: [rules-users] CEP Rule Help Needed >> > >> > > To: "Rules Users List" <rules-users@lists.jboss.org> >> > >> > > Date: Wednesday, July 22, 2009, 1:47 PM >> > >> > > Thanks Greg, >> > >> > > >> > >> > > As you can see in the code I sent, I have the 2 >> > >> > > implementations: >> > >> > > >> > >> > > "SnortRule" >> > >> > > >> > >> > > $s1 : Snort( sig_name != >> > >> > > "(portscan) Open Port") from entry-point >> > >> > > "Correlator" >> > >> > > >> > >> > > $s2 : Snort( sig_name != >> > "(portscan) >> > >> > > Open Port" , id != $s1.id, ip_dst == >> > $s1.ip_dst, this >> > >> > > after [5m] $s1) from entry-point >> > "Correlator" >> > >> > > >> > >> > > >> > >> > > "SnortRuleRetract" >> > >> > > $s1 : Snort( sig_name != >> > >> > > "(portscan) Open Port") from entry-point >> > >> > > "Correlator" >> > >> > > $s2 : Snort ( sig_name != >> > "(portscan) >> > >> > > Open Port" , id != $s1.id, this after >> > [0m,5m] $s1) from >> > >> > > entry-point "Correlator" >> > >> > > >> > >> > > >> > >> > > and any of them are thrown >> > >> > > >> > >> > > ... >> > >> > > >> > >> > > 2009/7/22 Greg Barton <greg_bar...@yahoo.com> >> > >> > > >> > >> > > >> > >> > > >> > >> > > Maybe this is a problem of language. Here's what >> > you >> > >> > > say the rule should do: >> > >> > > >> > >> > > >> > >> > > >> > >> > > 'After receiving a fact "MyModel" wich >> > name >> > >> > > != "aaa", if arrives another >> > >> > > >> > >> > > with same ip and different id after a >> > >> > > period between 0 and 5 minutes the >> > >> > > >> > >> > > rule have to retract the last one and keep the first >> > >> > > fact (the older one)' >> > >> > > >> > >> > > >> > >> > > >> > >> > > Which I would interpret as "Event 1 comes in, >> > then >> > >> > > event 2 comes in between 0 and 5 minutes later." >> > Does >> > >> > > that sound right? >> > >> > > >> > >> > > >> > >> > > >> > >> > > And here's the rule that you think fits the >> > >> > > requirements: >> > >> > > >> > >> > > >> > >> > > >> > >> > > rule "SnortRule" >> > >> > > >> > >> > > salience 2 >> > >> > > >> > >> > > dialect "mvel" >> > >> > > >> > >> > > when >> > >> > > >> > >> > > $s1 : Snort( sig_name != "(portscan) >> > Open >> > >> > > Port") from entry-point "Correlator" >> > >> > > >> > >> > > $s2 : Snort( sig_name != "(portscan) >> > Open >> > >> > > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this >> > >> > > after [5m] $s1) from entry-point >> > "Correlator" >> > >> > > >> > >> > > then >> > >> > > >> > >> > > >> > System.out.println("****************** >> > >> > > Snort Alert!!!!" + $s1.getData()); >> > >> > > >> > >> > > retract($s1); >> > >> > > >> > >> > > end >> > >> > > >> > >> > > >> > >> > > >> > >> > > Check out the docs, though: >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 >> > >> > >> > >> > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > The after operator in this case would check that (5m >> > <= >> > >> > > $s2.startTimestamp - $s1.endTimeStamp <= >> > +infinity). >> > >> > > >> > >> > > >> > >> > > >> > >> > > So the rule actually implements "Event 1 comes >> > in, >> > >> > > then event 2 happens at leat 5 minutes later." >> > >> > > >> > >> > > >> > >> > > >> > >> > > If you use the second argument of after I think it >> > would >> > >> > > work: >> > >> > > >> > >> > > >> > >> > > >> > >> > > $s2 : Snort( sig_name != "(portscan) Open >> > Port" , >> > >> > > id != $s1.id, ip_dst == $s1.ip_dst, this >> > >> > > after [0m,5m] $s1) from entry-point >> > "Correlator" >> > >> > > >> > >> > > >> > >> > > >> > >> > > According to the docs this should check that (0m >> > <= >> > >> > > $s2.startTimestamp - $s1.endTimeStamp <= 5m). >> > >> > > >> > >> > > >> > >> > > >> > >> > > You could alternately use "overlaps". >> > Place an >> > >> > > @duration(5m) annotation on the Snort declaration and >> > try >> > >> > > this condition: >> > >> > > >> > >> > > >> > >> > > >> > >> > > $s2 : Snort( sig_name != "(portscan) Open >> > Port" , >> > >> > > id != $s1.id, ip_dst == $s1.ip_dst, this >> > >> > > overlaps $s1) from entry-point "Correlator" >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > _______________________________________________ >> > >> > > >> > >> > > rules-users mailing list >> > >> > > >> > >> > > rules-users@lists.jboss.org >> > >> > > >> > >> > > https://lists.jboss.org/mailman/listinfo/rules-users >> > >> > > >> > >> > > >> > >> > > >> > >> > > >> > >> > > -----Inline Attachment Follows----- >> > >> > > >> > >> > > _______________________________________________ >> > >> > > rules-users mailing list >> > >> > > rules-users@lists.jboss.org >> > >> > > https://lists.jboss.org/mailman/listinfo/rules-users >> > >> > > >> > >> > >> > >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > >> > rules-users mailing list >> > >> > rules-users@lists.jboss.org >> > >> > https://lists.jboss.org/mailman/listinfo/rules-users >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > >> > rules-users mailing list >> > >> > rules-users@lists.jboss.org >> > >> > https://lists.jboss.org/mailman/listinfo/rules-users >> > >> > >> > >> > >> > >> > -- >> > Regards, >> > PriyaKathan >> > >> > >> > >> > _______________________________________________ >> > >> > rules-users mailing list >> > >> > rules-users@lists.jboss.org >> > >> > https://lists.jboss.org/mailman/listinfo/rules-users >> > >> > >> > >> > >> > >> > -----Inline Attachment Follows----- >> > >> > _______________________________________________ >> > rules-users mailing list >> > rules-users@lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/rules-users >> > >> >> >> >> >> _______________________________________________ >> rules-users mailing list >> rules-users@lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/rules-users >> > >
_______________________________________________ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users