Re: [rules-users] CEP Rule Help Needed
Without @timestamp the event time is the insertion time. --- On Thu, 7/23/09, PriyaKathan wrote: > From: PriyaKathan > Subject: Re: [rules-users] CEP Rule Help Needed > To: "Rules Users List" > Date: Thursday, July 23, 2009, 12:37 AM > Hi, > I found one thing missing here...It > i...@timestamp in event declaration... ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi, I found one thing missing here... It is @timestamp in event declaration... On Thu, Jul 23, 2009 at 1:06 AM, Greg Barton wrote: > > Ah, overlooked that second rule. Have you tried the overlap operator? > > So, just to clarify, the purpose of the two rules should be: > > SnortRule: If two Snort events that are not port scans of an open port on > the same destination arrive more than 5 minutes apart, delete the earlier > one. > > SnortRuleRetract: If two Snort events that are not port scans of an open > port on any two destinations arrive within 5 minutes of each other, delete > the earlier one. > > Have you tried removing the temporal operators completely, just for testing > purposes? What happens? i.e. > > "TimelessSnortRule" > $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point > "Correlator" > $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, > ip_dst == $s1.ip_dst) from entry-point "Correlator" > > "TimelessSnortRuleRetract" > $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point > "Correlator" > $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) > from entry-point "Correlator" > > > --- On Wed, 7/22/09, Nestor Tarin Burriel wrote: > > > From: Nestor Tarin Burriel > > Subject: Re: [rules-users] CEP Rule Help Needed > > To: "Rules Users List" > > Date: Wednesday, July 22, 2009, 1:47 PM > > Thanks Greg, > > > > As you can see in the code I sent, I have the 2 > > implementations: > > > > "SnortRule" > > > > $s1 : Snort( sig_name != > > "(portscan) Open Port") from entry-point > > "Correlator" > > > > $s2 : Snort( sig_name != "(portscan) > > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this > > after [5m] $s1) from entry-point "Correlator" > > > > > > "SnortRuleRetract" > > $s1 : Snort( sig_name != > > "(portscan) Open Port") from entry-point > > "Correlator" > > $s2 : Snort ( sig_name != "(portscan) > > Open Port" , id != $s1.id, this after [0m,5m] $s1) from > > entry-point "Correlator" > > > > > > and any of them are thrown > > > > ... > > > > 2009/7/22 Greg Barton > > > > > > > > Maybe this is a problem of language. Here's what you > > say the rule should do: > > > > > > > > 'After receiving a fact "MyModel" wich name > > != "aaa", if arrives another > > > > with same ip and different id after a > > period between 0 and 5 minutes the > > > > rule have to retract the last one and keep the first > > fact (the older one)' > > > > > > > > Which I would interpret as "Event 1 comes in, then > > event 2 comes in between 0 and 5 minutes later." Does > > that sound right? > > > > > > > > And here's the rule that you think fits the > > requirements: > > > > > > > > rule "SnortRule" > > > > salience 2 > > > > dialect "mvel" > > > > when > > > > $s1 : Snort( sig_name != "(portscan) Open > > Port") from entry-point "Correlator" > > > > $s2 : Snort( sig_name != "(portscan) Open > > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this > > after [5m] $s1) from entry-point "Correlator" > > > > then > > > > System.out.println("** > > Snort Alert" + $s1.getData()); > > > > retract($s1); > > > > end > > > > > > > > Check out the docs, though: > > > > > > > > > https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 > > > > > > > > > > The after operator in this case would check that (5m <= > > $s2.startTimestamp - $s1.endTimeStamp <= +infinity). > > > > > > > > So the rule actually implements "Event 1 comes in, > > then event 2 happens at leat 5 minutes later." > > > > > > > > If you use the second argument of after I think it would > > work: > > > > > > > > $s2 : Snort( sig_name != "(portscan) Open Port" , > > id != $s1.id, ip_dst == $s1.ip_dst, this > > after [0m,5m] $s1) from entry-point "Correlator" > > > > > > > > According to the docs this should check that (0m <= > > $s2.startTimestamp - $s1.endTimeStamp <= 5m). > > > > > > > > You could alternately use "overlaps". Place an > > @duration(5m) annotation on the Snort declaration and try > > this condition: > > > > > > > > $s2 : Snort( sig_name != "(portscan) Open Port" , > > id != $s1.id, ip_dst == $s1.ip_dst, this > > overlaps $s1) from entry-point "Correlator" > > > > > > > > > > > > > > > > > > > > > > > > > > > > ___ > > > > rules-users mailing list > > > > rules-users@lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > > > > > > -Inline Attachment Follows- > > > > ___ > > rules-users mailing list > > rules-users@lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > > > ___ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > -
Re: [rules-users] CEP Rule Help Needed
Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. "TimelessSnortRule" $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator" $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point "Correlator" "TimelessSnortRuleRetract" $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator" $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) from entry-point "Correlator" --- On Wed, 7/22/09, Nestor Tarin Burriel wrote: > From: Nestor Tarin Burriel > Subject: Re: [rules-users] CEP Rule Help Needed > To: "Rules Users List" > Date: Wednesday, July 22, 2009, 1:47 PM > Thanks Greg, > > As you can see in the code I sent, I have the 2 > implementations: > > "SnortRule" > > $s1 : Snort( sig_name != > "(portscan) Open Port") from entry-point > "Correlator" > > $s2 : Snort( sig_name != "(portscan) > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this > after [5m] $s1) from entry-point "Correlator" > > > "SnortRuleRetract" > $s1 : Snort( sig_name != > "(portscan) Open Port") from entry-point > "Correlator" > $s2 : Snort ( sig_name != "(portscan) > Open Port" , id != $s1.id, this after [0m,5m] $s1) from > entry-point "Correlator" > > > and any of them are thrown > > ... > > 2009/7/22 Greg Barton > > > > Maybe this is a problem of language. Here's what you > say the rule should do: > > > > 'After receiving a fact "MyModel" wich name > != "aaa", if arrives another > > with same ip and different id after a > period between 0 and 5 minutes the > > rule have to retract the last one and keep the first > fact (the older one)' > > > > Which I would interpret as "Event 1 comes in, then > event 2 comes in between 0 and 5 minutes later." Does > that sound right? > > > > And here's the rule that you think fits the > requirements: > > > > rule "SnortRule" > > salience 2 > > dialect "mvel" > > when > > $s1 : Snort( sig_name != "(portscan) Open > Port") from entry-point "Correlator" > > $s2 : Snort( sig_name != "(portscan) Open > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this > after [5m] $s1) from entry-point "Correlator" > > then > > System.out.println("** > Snort Alert" + $s1.getData()); > > retract($s1); > > end > > > > Check out the docs, though: > > > > https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 > > > > > The after operator in this case would check that (5m <= > $s2.startTimestamp - $s1.endTimeStamp <= +infinity). > > > > So the rule actually implements "Event 1 comes in, > then event 2 happens at leat 5 minutes later." > > > > If you use the second argument of after I think it would > work: > > > > $s2 : Snort( sig_name != "(portscan) Open Port" , > id != $s1.id, ip_dst == $s1.ip_dst, this > after [0m,5m] $s1) from entry-point "Correlator" > > > > According to the docs this should check that (0m <= > $s2.startTimestamp - $s1.endTimeStamp <= 5m). > > > > You could alternately use "overlaps". Place an > @duration(5m) annotation on the Snort declaration and try > this condition: > > > > $s2 : Snort( sig_name != "(portscan) Open Port" , > id != $s1.id, ip_dst == $s1.ip_dst, this > overlaps $s1) from entry-point "Correlator" > > > > > > > > > > > > > > ___ > > rules-users mailing list > > rules-users@lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > -Inline Attachment Follows- > > ___ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Thanks Greg, As you can see in the code I sent, I have the 2 implementations: "SnortRule" $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator" $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator" "SnortRuleRetract" $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator" $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id, this after [0m,5m] $s1) from entry-point "Correlator" and any of them are thrown ... 2009/7/22 Greg Barton > > Maybe this is a problem of language. Here's what you say the rule should > do: > > 'After receiving a fact "MyModel" wich name != "aaa", if arrives another > with same ip and different id after a period between 0 and 5 minutes the > rule have to retract the last one and keep the first fact (the older one)' > > Which I would interpret as "Event 1 comes in, then event 2 comes in between > 0 and 5 minutes later." Does that sound right? > > And here's the rule that you think fits the requirements: > > rule "SnortRule" >salience 2 >dialect "mvel" >when >$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point > "Correlator" >$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, > ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator" >then >System.out.println("** Snort Alert" + > $s1.getData()); >retract($s1); > end > > Check out the docs, though: > > > https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 > > The after operator in this case would check that (5m <= $s2.startTimestamp > - $s1.endTimeStamp <= +infinity). > > So the rule actually implements "Event 1 comes in, then event 2 happens at > leat 5 minutes later." > > If you use the second argument of after I think it would work: > > $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == > $s1.ip_dst, this after [0m,5m] $s1) from entry-point "Correlator" > > According to the docs this should check that (0m <= $s2.startTimestamp - > $s1.endTimeStamp <= 5m). > > You could alternately use "overlaps". Place an @duration(5m) annotation on > the Snort declaration and try this condition: > > $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == > $s1.ip_dst, this overlaps $s1) from entry-point "Correlator" > > > > > > > ___ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact "MyModel" wich name != "aaa", if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as "Event 1 comes in, then event 2 comes in between 0 and 5 minutes later." Does that sound right? And here's the rule that you think fits the requirements: rule "SnortRule" salience 2 dialect "mvel" when $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator" $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator" then System.out.println("** Snort Alert" + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m <= $s2.startTimestamp - $s1.endTimeStamp <= +infinity). So the rule actually implements "Event 1 comes in, then event 2 happens at leat 5 minutes later." If you use the second argument of after I think it would work: $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point "Correlator" According to the docs this should check that (0m <= $s2.startTimestamp - $s1.endTimeStamp <= 5m). You could alternately use "overlaps". Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point "Correlator" ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
[rules-users] Webguided decision table and nested objects
Hello: I have a facts objects with nested objects : example: Employee name Address street city Wondering if it is possible to use Webguided decision table at the nested object level (in the above example Address.street) Thanks, cabear ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] DSL matching return wrong DRL
The question has already been answered, but to help you understand how DSL expansion works, here's what happens. 1. The expander goes down the list and matches the first expression against all lines in your rules. So, rule dsl2drl_1 when Get month summer then Print months; end becomes rule dsl2drl_1 when $month: Month(); summer then Print months; end 2. The expander tries to match the second expression, and fails. 3. The expander tries to match the third expression, and succeeds, leaving you with the following DRL. rule dsl2drl_1 when $month: Month(); summer then System.out.println("Month: " + $month.getId());; end Looking at the LHS of the rule, this will not compile. Matt ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Yes, :( Did you see some errors at the rule? 2009/7/22 Greg Barton > > > --- On Wed, 7/22/09, Nestor Tarin Burriel wrote: > > > So I dont understand why my CEP rules never fires ... > > Ah, the eternal lament of the rules developer. :) > > Have you tried removing conditions until it does fire? > > > > ___ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
--- On Wed, 7/22/09, Nestor Tarin Burriel wrote: > So I dont understand why my CEP rules never fires ... Ah, the eternal lament of the rules developer. :) Have you tried removing conditions until it does fire? ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] optimization on a lot of simple rules
I am wrong, and I don't need to create new StatelessSession for every request. nesta wrote: > > Hi Greg, > Thanks for your help very much. > I have to new StatelessKnowledgeSession for every request, and I test new > StatelessKnowledgeSession in my machine. > It costs 310ms for 1000 times. > > With insert, retract I can keep the StatefulKnowledgeSession instance. > I will look into StatelessKnowledgeSession. > Thanks very much again. > > 在2009-07-21,"Greg Barton" 写道: >> >>There's no reason why you have to process all of your rules at once, or in one way. For instance, if the processing of this large set of "what's the decision" rules depend on nothing else, there's no reason they can't be in their own ruleset and processed separately in a StatelessKnowledgeSession. The results can then be passed to the rest of the rules. >> >>In addition, if you do have other rules, then your testing setup is unrealistic. (i.e. throwing in one instance of each type, processing the rules, then retracting them all.) >> >>--- On Tue, 7/21/09, nesta wrote: >> >>> From: nesta >>> Subject: Re: [rules-users] optimization on a lot of simple rules >>> To: rules-users@lists.jboss.org >>> Date: Tuesday, July 21, 2009, 12:44 AM >>> >>> Agree, but I can't choose sequential mode for several >>> reason. >>> Sequential mode means StatelessKnowledgeSession. >>> 1. every request needs to create a new session(working >>> memory). >>> 2. our ruleset has other rules. >>> 3. with StatefulKnowledgeSession, some facts can be >>> initialized before >>> process the request. >>> 4. Agenda is needed. >>> >>> Thanks very much. >>> >>> >>> Greg Barton wrote: >>> > >>> > >>> > Well, if your rules are going to be that simple, have >>> you tried sequential >>> > mode?? If there's never any reaction to working >>> memory changes you don't >>> > need the rete network.? You should get much >>> better performance out of that >>> > ruleset, and others like it, in sequential mode. >>> > >>> > See >>> > >>> http://downloads.jboss.com/drools/docs/5.0.1.26597.FINAL/drools-expert/html_single/index.html, >>> > section "3.3.7.1. Sequential Mode" >>> > >>> > In a nutshell, the rete network is used for tracking >>> and reacting to >>> > changes in the objects inserted into working memory. >>> (i.e. a rule fires, >>> > changes a WM object, then other rules may be eligible >>> to fire based on >>> > that change.) If you're not going to be using that >>> functionality you'd be >>> > constructing and maintaining the rete for no >>> reason.? >>> > >>> > --- On Mon, 7/20/09, nesta >>> wrote: >>> > >>> >> From: nesta >>> >> Subject: Re: [rules-users] optimization on a lot >>> of simple rules >>> >> To: rules-users@lists.jboss.org >>> >> Date: Monday, July 20, 2009, 10:13 PM >>> >> >>> >> I execute above test codes, with 100 rules running >>> 1000 >>> >> times. In the same >>> >> time, I profile the test codes. >>> >> http://www.nabble.com/file/p24581025/profile.jpg >>> >> The profile result shows that some methods execute >>> 100,000 >>> >> times. >>> >> In test codes, >>> >> Service has two states, 0 or 1. >>> >> Subscriber has two states, 0 or 1. >>> >> >>> >> inserted facts: >>> >> Product product = new Product(1, 1); >>> >> Service service = new Service(1); >>> >> Subscriber subscriber = new Subscriber(1); >>> >> >>> >> Service matches a half of total rules, namely 50. >>> So is >>> >> Subscriber. >>> >> (50 + 50 ) * 1000 (running times) = 100,000 >>> >> >>> >> I am confused what drools does. Is there a way to >>> optimize >>> >> it? >>> >> >>> >> >>> >> Greg Barton wrote: >>> >> > >>> >> > >>> >> > 1) Yes, if you eliminate joins in rules, you >>> will have >>> >> no joins in the >>> >> > rete.? This is self evident. >>> >> > >>> >> > 2) The way you have the rules structured, >>> there is no >>> >> relationship between >>> >> > the joined objects.? This will cause what's >>> >> called a "cartesian join" >>> >> > where all combinations of all instances of >>> each object >>> >> type are >>> >> > instantiated.? This can be very expensive, >>> memory >>> >> and CPU wise.? You've >>> >> > stated that there are only one instance of >>> each object >>> >> type in working >>> >> > memory, but are you absolutely sure of >>> that?? >>> >> Cartesian joins can easily >>> >> > cause performance problems quite quickly. >>> >> > >>> >> > For instance, say you've got these objects in >>> working >>> >> memory: >>> >> > >>> >> > Subscriber(gender="male") >>> >> > Subscriber(gender="female") >>> >> > Service(name="ftp") >>> >> > Service(name="http") >>> >> > Product(id=1) >>> >> > Product(id=2) >>> >> > Product(id=3) >>> >> > >>> >> > After inserting a Decision into working >>> memory, the >>> >> rule will fire 2*2*3 >>> >> > times.? (#Subscribers * #Services * >>> #Products) >>> >> This is by design.? Is this >>> >> > what you want? >>> >> > >>> >> > 3) Do you really need the 'Subscriber(gender >>> == "male" >>> >> or "female")' term? >>> >>
Re: [rules-users] optimization on a lot of simple rules
Hi Greg, Thanks for your help very much. I have to new StatelessKnowledgeSession for every request, and I test new StatelessKnowledgeSession in my machine. It costs 310ms for 1000 times. With insert, retract I can keep the StatefulKnowledgeSession instance. I will look into StatelessKnowledgeSession. Thanks very much again. 在2009-07-21,"Greg Barton" 写道: > >There's no reason why you have to process all of your rules at once, or in one >way. For instance, if the processing of this large set of "what's the >decision" rules depend on nothing else, there's no reason they can't be in >their own ruleset and processed separately in a StatelessKnowledgeSession. >The results can then be passed to the rest of the rules. > >In addition, if you do have other rules, then your testing setup is >unrealistic. (i.e. throwing in one instance of each type, processing the >rules, then retracting them all.) > >--- On Tue, 7/21/09, nesta wrote: > >> From: nesta >> Subject: Re: [rules-users] optimization on a lot of simple rules >> To: rules-users@lists.jboss.org >> Date: Tuesday, July 21, 2009, 12:44 AM >> >> Agree, but I can't choose sequential mode for several >> reason. >> Sequential mode means StatelessKnowledgeSession. >> 1. every request needs to create a new session(working >> memory). >> 2. our ruleset has other rules. >> 3. with StatefulKnowledgeSession, some facts can be >> initialized before >> process the request. >> 4. Agenda is needed. >> >> Thanks very much. >> >> >> Greg Barton wrote: >> > >> > >> > Well, if your rules are going to be that simple, have >> you tried sequential >> > mode?? If there's never any reaction to working >> memory changes you don't >> > need the rete network.? You should get much >> better performance out of that >> > ruleset, and others like it, in sequential mode. >> > >> > See >> > http://downloads.jboss.com/drools/docs/5.0.1.26597.FINAL/drools-expert/html_single/index.html, >> > section "3.3.7.1. Sequential Mode" >> > >> > In a nutshell, the rete network is used for tracking >> and reacting to >> > changes in the objects inserted into working memory. >> (i.e. a rule fires, >> > changes a WM object, then other rules may be eligible >> to fire based on >> > that change.) If you're not going to be using that >> functionality you'd be >> > constructing and maintaining the rete for no >> reason.? >> > >> > --- On Mon, 7/20/09, nesta >> wrote: >> > >> >> From: nesta >> >> Subject: Re: [rules-users] optimization on a lot >> of simple rules >> >> To: rules-users@lists.jboss.org >> >> Date: Monday, July 20, 2009, 10:13 PM >> >> >> >> I execute above test codes, with 100 rules running >> 1000 >> >> times. In the same >> >> time, I profile the test codes. >> >> http://www.nabble.com/file/p24581025/profile.jpg >> >> The profile result shows that some methods execute >> 100,000 >> >> times. >> >> In test codes, >> >> Service has two states, 0 or 1. >> >> Subscriber has two states, 0 or 1. >> >> >> >> inserted facts: >> >> Product product = new Product(1, 1); >> >> Service service = new Service(1); >> >> Subscriber subscriber = new Subscriber(1); >> >> >> >> Service matches a half of total rules, namely 50. >> So is >> >> Subscriber. >> >> (50 + 50 ) * 1000 (running times) = 100,000 >> >> >> >> I am confused what drools does. Is there a way to >> optimize >> >> it? >> >> >> >> >> >> Greg Barton wrote: >> >> > >> >> > >> >> > 1) Yes, if you eliminate joins in rules, you >> will have >> >> no joins in the >> >> > rete.? This is self evident. >> >> > >> >> > 2) The way you have the rules structured, >> there is no >> >> relationship between >> >> > the joined objects.? This will cause what's >> >> called a "cartesian join" >> >> > where all combinations of all instances of >> each object >> >> type are >> >> > instantiated.? This can be very expensive, >> memory >> >> and CPU wise.? You've >> >> > stated that there are only one instance of >> each object >> >> type in working >> >> > memory, but are you absolutely sure of >> that?? >> >> Cartesian joins can easily >> >> > cause performance problems quite quickly. >> >> > >> >> > For instance, say you've got these objects in >> working >> >> memory: >> >> > >> >> > Subscriber(gender="male") >> >> > Subscriber(gender="female") >> >> > Service(name="ftp") >> >> > Service(name="http") >> >> > Product(id=1) >> >> > Product(id=2) >> >> > Product(id=3) >> >> > >> >> > After inserting a Decision into working >> memory, the >> >> rule will fire 2*2*3 >> >> > times.? (#Subscribers * #Services * >> #Products) >> >> This is by design.? Is this >> >> > what you want? >> >> > >> >> > 3) Do you really need the 'Subscriber(gender >> == "male" >> >> or "female")' term? >> >> > Why not just 'Subscriber()'?? Are you >> classifying >> >> transgendered or >> >> > nonhuman subscribers in your system? >> >> > >> >> > --- On Mon, 7/20/09, nesta >> >> wrote: >> >> > >> >> >> From: nesta >> >> >> Subject: Re: [rules-users] op
Re: [rules-users] CEP Rule Help Needed
Hi again, Here the info from my engine execution: KnowledgeBaseConfiguration config = KnowledgeBaseFactory.newKnowledgeBaseConfiguration(); config.setOption( EventProcessingOption.STREAM ); KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(config); kbase.addKnowledgePackages(kbuilder.getKnowledgePackages()); SessionConfiguration sessionConf = new SessionConfiguration(); sessionConf.setClockType(ClockType.REALTIME_CLOCK); ksession = kbase.newStatefulKnowledgeSession( sessionConf, env); An here the inserting method: ksession.getWorkingMemoryEntryPoint("Correlator").insert(fact); ksession.fireAllRules(); So I dont understand why my CEP rules never fires ... Thanks again, nestabur 2009/7/22 Nestor Tarin Burriel > Hi Edson, > > Thanks for the fix, but the problem still happens :( > > Here my complete .drl file: > > package Correlator > global com.s2grupo.triton.global.Context Context > > declare Snort > @role( event ) > icmp_code: String > tcp_sport: String > data: String > sig_rev: String > tcp_dport: String > udp_sport: String > hostname: String > interface: String > sig_priority: String > icmp_type: String > id: java.lang.Long > sig_class_name: String > ip_dst: String > sig_name: String > udp_dport: String > ip_src: String > event_date: java.util.Date > end > > rule "SnortRule" > salience 2 > dialect "mvel" > when > $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point > "Correlator" > $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, > ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator" > then > System.out.println("** Snort Alert" + > $s1.getData()); > retract($s1); > end > > > rule "SnortRuleRetract" > salience 1 > dialect "mvel" > when > $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point > "Correlator" > $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id, > this after [0m,5m] $s1) from entry-point "Correlator" > then > retract($s2); > System.out.println(" * Deleting Fact From WM"); > end > > > rule "SnortRule0" > salience 0 > dialect "mvel" > when > $s1 : Snort( this.sig_name != "(portscan) Open Port") from > entry-point "Correlator" > then > System.out.println("* Snort Alert 0!!" + $s1.getData()); > end > > As you can see, I'm trying to correlate snort events with drools. > > With this scenario, the only rule that is firing is "SnortRule0" > > 2009/7/21 Edson Tirelli > >> >>Your rule is wrong, as you are defining 3 patterns and the second >> pattern is looking for a fact in the main entry point, not your defined >> "MyEntryPoint". >>Fix it doing: >> >> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after >> [0m,5m] $s1) from entry-point "MyEntryPoint" >> >>[]s >>Edson >> >> 2009/7/21 nestabur >> >> >>> Hi all, >>> >>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :( >>> >>> The rule is: >>> === >>> rule "RetractOlderFacts" >>>dialect "mvel" >>>when >>>$s1 : MyModel( name != "aaa") from entry-point >>> "MyEntryPoint" >>>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1) >>> and MyModel ( >>> this after [0m,5m] $s1) from entry-point "MyEntryPoint" >>>then >>>retract($s2); >>>System.out.println(" * Retracting from WM"); >>> end >>> === >>> >>> The scenario is: >>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another >>> with same ip and different id after a period between 0 and 5 minutes the >>> rule have to retract the last one and keep the first fact (the older >>> one)" >>> >>> After receiving hundred and hundred of facts via JMS that may match with >>> the >>> rule condition, the rule never throws! >>> >>> is the rule correct? >>> could the problem be at the rule engine implementation? >>> >>> Could anyone hel me please? >>> >>> Thanks in advance, >>> >>> nestabur >>> -- >>> View this message in context: >>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html >>> Sent from the drools - user mailing list archive at Nabble.com. >>> >>> ___ >>> rules-users mailing list >>> rules-users@lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/rules-users >>> >> >> >> ___ >> rules-users mailing list >> rules-users@lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/rules-users >> >> > ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi Edson, Thanks for the fix, but the problem still happens :( Here my complete .drl file: package Correlator global com.s2grupo.triton.global.Context Context declare Snort @role( event ) icmp_code: String tcp_sport: String data: String sig_rev: String tcp_dport: String udp_sport: String hostname: String interface: String sig_priority: String icmp_type: String id: java.lang.Long sig_class_name: String ip_dst: String sig_name: String udp_dport: String ip_src: String event_date: java.util.Date end rule "SnortRule" salience 2 dialect "mvel" when $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator" $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator" then System.out.println("** Snort Alert" + $s1.getData()); retract($s1); end rule "SnortRuleRetract" salience 1 dialect "mvel" when $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "Correlator" $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id, this after [0m,5m] $s1) from entry-point "Correlator" then retract($s2); System.out.println(" * Deleting Fact From WM"); end rule "SnortRule0" salience 0 dialect "mvel" when $s1 : Snort( this.sig_name != "(portscan) Open Port") from entry-point "Correlator" then System.out.println("* Snort Alert 0!!" + $s1.getData()); end As you can see, I'm trying to correlate snort events with drools. With this scenario, the only rule that is firing is "SnortRule0" 2009/7/21 Edson Tirelli > >Your rule is wrong, as you are defining 3 patterns and the second > pattern is looking for a fact in the main entry point, not your defined > "MyEntryPoint". >Fix it doing: > > $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after > [0m,5m] $s1) from entry-point "MyEntryPoint" > >[]s >Edson > > 2009/7/21 nestabur > > >> Hi all, >> >> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :( >> >> The rule is: >> === >> rule "RetractOlderFacts" >>dialect "mvel" >>when >>$s1 : MyModel( name != "aaa") from entry-point >> "MyEntryPoint" >>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1) >> and MyModel ( >> this after [0m,5m] $s1) from entry-point "MyEntryPoint" >>then >>retract($s2); >>System.out.println(" * Retracting from WM"); >> end >> === >> >> The scenario is: >> "After receiving a fact "MyModel" wich name != "aaa", if arrives another >> with same ip and different id after a period between 0 and 5 minutes the >> rule have to retract the last one and keep the first fact (the older one)" >> >> After receiving hundred and hundred of facts via JMS that may match with >> the >> rule condition, the rule never throws! >> >> is the rule correct? >> could the problem be at the rule engine implementation? >> >> Could anyone hel me please? >> >> Thanks in advance, >> >> nestabur >> -- >> View this message in context: >> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html >> Sent from the drools - user mailing list archive at Nabble.com. >> >> ___ >> rules-users mailing list >> rules-users@lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/rules-users >> > > > ___ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > > ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi Edson, Thanks for the fix, but the problem still happens :( Here my complete .drl file: package ArgosCorrelator global com.s2grupo.triton.global.Context Context declare MyFact @role( event ) id: java.lang.Long ip: String end rule "Rule1" salience 2 dialect "mvel" when $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "ArgosCorrelator" $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "ArgosCorrelator" then System.out.println("** Evento Snort Ejecutado" + $s1.getData()); retract($s1); end rule "SnortRuleRetract" salience 1 dialect "mvel" when $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point "ArgosCorrelator" $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id, this after [0m,5m] $s1) from entry-point "ArgosCorrelator" then retract($s2); System.out.println(" * Evento Snort Eliminado de la WM"); end rule "SnortRule0" salience 0 dialect "mvel" when $s1 : Snort( this.sig_name != "(portscan) Open Port") from entry-point "ArgosCorrelator" then System.out.println("* Alerta Snort 0!!" + $s1.getData()); end 2009/7/21 Edson Tirelli > >Your rule is wrong, as you are defining 3 patterns and the second > pattern is looking for a fact in the main entry point, not your defined > "MyEntryPoint". >Fix it doing: > > $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after > [0m,5m] $s1) from entry-point "MyEntryPoint" > >[]s >Edson > > 2009/7/21 nestabur > > >> Hi all, >> >> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :( >> >> The rule is: >> === >> rule "RetractOlderFacts" >>dialect "mvel" >>when >>$s1 : MyModel( name != "aaa") from entry-point >> "MyEntryPoint" >>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1) >> and MyModel ( >> this after [0m,5m] $s1) from entry-point "MyEntryPoint" >>then >>retract($s2); >>System.out.println(" * Retracting from WM"); >> end >> === >> >> The scenario is: >> "After receiving a fact "MyModel" wich name != "aaa", if arrives another >> with same ip and different id after a period between 0 and 5 minutes the >> rule have to retract the last one and keep the first fact (the older one)" >> >> After receiving hundred and hundred of facts via JMS that may match with >> the >> rule condition, the rule never throws! >> >> is the rule correct? >> could the problem be at the rule engine implementation? >> >> Could anyone hel me please? >> >> Thanks in advance, >> >> nestabur >> -- >> View this message in context: >> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html >> Sent from the drools - user mailing list archive at Nabble.com. >> >> ___ >> rules-users mailing list >> rules-users@lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/rules-users >> > > > ___ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > > ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users