date:20090722

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread Greg Barton


Without @timestamp the event time is the insertion time.

--- On Thu, 7/23/09, PriyaKathan  wrote:

> From: PriyaKathan 
> Subject: Re: [rules-users] CEP Rule Help Needed
> To: "Rules Users List" 
> Date: Thursday, July 23, 2009, 12:37 AM
> Hi,
> I found one thing missing here...It
> i...@timestamp in event declaration...


  

___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread PriyaKathan

Hi,
I found one thing missing here...
It is @timestamp in event declaration...

On Thu, Jul 23, 2009 at 1:06 AM, Greg Barton  wrote:

>
> Ah, overlooked that second rule.  Have you tried the overlap operator?
>
> So, just to clarify, the purpose of the two rules should be:
>
> SnortRule: If two Snort events that are not port scans of an open port on
> the same destination arrive more than 5 minutes apart, delete the earlier
> one.
>
> SnortRuleRetract: If two Snort events that are not port scans of an open
> port on any two destinations arrive within 5 minutes of each other, delete
> the earlier one.
>
> Have you tried removing the temporal operators completely, just for testing
> purposes?  What happens?  i.e.
>
> "TimelessSnortRule"
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst) from entry-point "Correlator"
>
> "TimelessSnortRuleRetract"
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
> from entry-point "Correlator"
>
>
> --- On Wed, 7/22/09, Nestor Tarin Burriel  wrote:
>
> > From: Nestor Tarin Burriel 
> > Subject: Re: [rules-users] CEP Rule Help Needed
> > To: "Rules Users List" 
> > Date: Wednesday, July 22, 2009, 1:47 PM
> > Thanks Greg,
> >
> > As you can see in the code I sent, I have the 2
> > implementations:
> >
> > "SnortRule"
> >
> > $s1 : Snort( sig_name !=
> > "(portscan) Open Port") from entry-point
> > "Correlator"
> >
> > $s2 : Snort( sig_name != "(portscan)
> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [5m] $s1) from entry-point "Correlator"
> >
> >
> > "SnortRuleRetract"
> > $s1 : Snort( sig_name !=
> > "(portscan) Open Port") from entry-point
> > "Correlator"
> > $s2 : Snort ( sig_name != "(portscan)
> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from
> > entry-point "Correlator"
> >
> >
> > and any of them are thrown
> >
> > ...
> >
> > 2009/7/22 Greg Barton 
> >
> >
> >
> > Maybe this is a problem of language.  Here's what you
> > say the rule should do:
> >
> >
> >
> > 'After receiving a fact "MyModel" wich name
> > != "aaa", if arrives another
> >
> > with same ip and different id after a
> > period between 0 and 5 minutes the
> >
> > rule have to retract the last one and keep the first
> > fact (the older one)'
> >
> >
> >
> > Which I would interpret as "Event 1 comes in, then
> > event 2 comes in between 0 and 5 minutes later."  Does
> > that sound right?
> >
> >
> >
> > And here's the rule that you think fits the
> > requirements:
> >
> >
> >
> > rule "SnortRule"
> >
> > salience 2
> >
> > dialect "mvel"
> >
> > when
> >
> > $s1 : Snort( sig_name != "(portscan) Open
> > Port") from entry-point "Correlator"
> >
> > $s2 : Snort( sig_name != "(portscan) Open
> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [5m] $s1) from entry-point "Correlator"
> >
> > then
> >
> > System.out.println("**
> > Snort Alert" + $s1.getData());
> >
> > retract($s1);
> >
> > end
> >
> >
> >
> > Check out the docs, though:
> >
> >
> >
> >
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
> >
> >
> >
> >
> > The after operator in this case would check that (5m <=
> > $s2.startTimestamp - $s1.endTimeStamp <= +infinity).
> >
> >
> >
> > So the rule actually implements "Event 1 comes in,
> > then event 2 happens at leat 5 minutes later."
> >
> >
> >
> > If you use the second argument of after I think it would
> > work:
> >
> >
> >
> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
> > id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [0m,5m] $s1) from entry-point "Correlator"
> >
> >
> >
> > According to the docs this should check that (0m <=
> > $s2.startTimestamp - $s1.endTimeStamp <= 5m).
> >
> >
> >
> > You could alternately use "overlaps".  Place an
> > @duration(5m) annotation on the Snort declaration and try
> > this condition:
> >
> >
> >
> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
> > id != $s1.id, ip_dst == $s1.ip_dst, this
> > overlaps $s1) from entry-point "Correlator"
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ___
> >
> > rules-users mailing list
> >
> > rules-users@lists.jboss.org
> >
> > https://lists.jboss.org/mailman/listinfo/rules-users
> >
> >
> >
> >
> > -Inline Attachment Follows-
> >
> > ___
> > rules-users mailing list
> > rules-users@lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/rules-users
> >
>
>
>
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>



-

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread Greg Barton


Ah, overlooked that second rule.  Have you tried the overlap operator?

So, just to clarify, the purpose of the two rules should be:

SnortRule: If two Snort events that are not port scans of an open port on the 
same destination arrive more than 5 minutes apart, delete the earlier one. 

SnortRuleRetract: If two Snort events that are not port scans of an open port 
on any two destinations arrive within 5 minutes of each other, delete the 
earlier one.

Have you tried removing the temporal operators completely, just for testing 
purposes?  What happens?  i.e.

"TimelessSnortRule"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point 
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst 
== $s1.ip_dst) from entry-point "Correlator"

"TimelessSnortRuleRetract"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point 
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) from 
entry-point "Correlator"


--- On Wed, 7/22/09, Nestor Tarin Burriel  wrote:

> From: Nestor Tarin Burriel 
> Subject: Re: [rules-users] CEP Rule Help Needed
> To: "Rules Users List" 
> Date: Wednesday, July 22, 2009, 1:47 PM
> Thanks Greg,
> 
> As you can see in the code I sent, I have the 2
> implementations:
> 
> "SnortRule"
> 
>         $s1 : Snort( sig_name !=
> "(portscan) Open Port") from entry-point
> "Correlator"
> 
>         $s2 : Snort( sig_name != "(portscan)
> Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> after [5m] $s1) from entry-point "Correlator"
> 
> 
> "SnortRuleRetract"
>         $s1 : Snort( sig_name !=
> "(portscan) Open Port") from entry-point
> "Correlator"
>         $s2 : Snort ( sig_name != "(portscan)
> Open Port" , id != $s1.id, this after [0m,5m] $s1) from
> entry-point "Correlator"
> 
> 
> and any of them are thrown
> 
> ...
> 
> 2009/7/22 Greg Barton 
> 
> 
> 
> Maybe this is a problem of language.  Here's what you
> say the rule should do:
> 
> 
> 
> 'After receiving a fact "MyModel" wich name
> != "aaa", if arrives another
> 
> with same ip and different id after a
> period between 0 and 5 minutes the
> 
> rule have to retract the last one and keep the first
> fact (the older one)'
> 
> 
> 
> Which I would interpret as "Event 1 comes in, then
> event 2 comes in between 0 and 5 minutes later."  Does
> that sound right?
> 
> 
> 
> And here's the rule that you think fits the
> requirements:
> 
> 
> 
> rule "SnortRule"
> 
>     salience 2
> 
>     dialect "mvel"
> 
>     when
> 
>         $s1 : Snort( sig_name != "(portscan) Open
> Port") from entry-point "Correlator"
> 
>         $s2 : Snort( sig_name != "(portscan) Open
> Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> after [5m] $s1) from entry-point "Correlator"
> 
>     then
> 
>         System.out.println("**
> Snort Alert" + $s1.getData());
> 
>         retract($s1);
> 
> end
> 
> 
> 
> Check out the docs, though:
> 
> 
> 
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
> 
> 
> 
> 
> The after operator in this case would check that (5m <=
> $s2.startTimestamp - $s1.endTimeStamp <= +infinity).
> 
> 
> 
> So the rule actually implements "Event 1 comes in,
> then event 2 happens at leat 5 minutes later."
> 
> 
> 
> If you use the second argument of after I think it would
> work:
> 
> 
> 
> $s2 : Snort( sig_name != "(portscan) Open Port" ,
> id != $s1.id, ip_dst == $s1.ip_dst, this
> after [0m,5m] $s1) from entry-point "Correlator"
> 
> 
> 
> According to the docs this should check that (0m <=
> $s2.startTimestamp - $s1.endTimeStamp <= 5m).
> 
> 
> 
> You could alternately use "overlaps".  Place an
> @duration(5m) annotation on the Snort declaration and try
> this condition:
> 
> 
> 
> $s2 : Snort( sig_name != "(portscan) Open Port" ,
> id != $s1.id, ip_dst == $s1.ip_dst, this
> overlaps $s1) from entry-point "Correlator"
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ___
> 
> rules-users mailing list
> 
> rules-users@lists.jboss.org
> 
> https://lists.jboss.org/mailman/listinfo/rules-users
> 
> 
> 
> 
> -Inline Attachment Follows-
> 
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
> 


  

___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread Nestor Tarin Burriel

Thanks Greg,

As you can see in the code I sent, I have the 2 implementations:

"SnortRule"

$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"

"SnortRuleRetract"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "Correlator"

and any of them are thrown

...

2009/7/22 Greg Barton 

>
> Maybe this is a problem of language.  Here's what you say the rule should
> do:
>
> 'After receiving a fact "MyModel" wich name != "aaa", if arrives another
> with same ip and different id after a period between 0 and 5 minutes the
> rule have to retract the last one and keep the first fact (the older one)'
>
> Which I would interpret as "Event 1 comes in, then event 2 comes in between
> 0 and 5 minutes later."  Does that sound right?
>
> And here's the rule that you think fits the requirements:
>
> rule "SnortRule"
>salience 2
>dialect "mvel"
>when
>$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
>$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
>then
>System.out.println("** Snort Alert" +
> $s1.getData());
>retract($s1);
> end
>
> Check out the docs, though:
>
>
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
>
> The after operator in this case would check that (5m <= $s2.startTimestamp
> - $s1.endTimeStamp <= +infinity).
>
> So the rule actually implements "Event 1 comes in, then event 2 happens at
> leat 5 minutes later."
>
> If you use the second argument of after I think it would work:
>
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst ==
> $s1.ip_dst, this after [0m,5m] $s1) from entry-point "Correlator"
>
> According to the docs this should check that (0m <= $s2.startTimestamp -
> $s1.endTimeStamp <= 5m).
>
> You could alternately use "overlaps".  Place an @duration(5m) annotation on
> the Snort declaration and try this condition:
>
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst ==
> $s1.ip_dst, this overlaps $s1) from entry-point "Correlator"
>
>
>
>
>
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread Greg Barton


Maybe this is a problem of language.  Here's what you say the rule should do:

'After receiving a fact "MyModel" wich name != "aaa", if arrives another
with same ip and different id after a period between 0 and 5 minutes the
rule have to retract the last one and keep the first fact (the older one)'

Which I would interpret as "Event 1 comes in, then event 2 comes in between 0 
and 5 minutes later."  Does that sound right?

And here's the rule that you think fits the requirements:

rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point 
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst 
== $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
then
System.out.println("** Snort Alert" + 
$s1.getData());
retract($s1);
end

Check out the docs, though:

https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622

The after operator in this case would check that (5m <= $s2.startTimestamp - 
$s1.endTimeStamp <= +infinity).  

So the rule actually implements "Event 1 comes in, then event 2 happens at leat 
5 minutes later."

If you use the second argument of after I think it would work:

$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == 
$s1.ip_dst, this after [0m,5m] $s1) from entry-point "Correlator"

According to the docs this should check that (0m <= $s2.startTimestamp - 
$s1.endTimeStamp <= 5m).  

You could alternately use "overlaps".  Place an @duration(5m) annotation on the 
Snort declaration and try this condition:

$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst == 
$s1.ip_dst, this overlaps $s1) from entry-point "Correlator"





  
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

[rules-users] Webguided decision table and nested objects

2009-07-22 Thread Wishing Carebear

Hello:
I have a facts objects with nested objects : example:
 Employee
 name
 Address
  street
  city


Wondering if it is possible to use Webguided decision table at the nested
object level (in the above example Address.street)

Thanks,
cabear
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] DSL matching return wrong DRL

2009-07-22 Thread Matt Geis


The question has already been answered, but to help you understand how DSL 
expansion works, here's what happens.

1.  The expander goes down the list and matches the first expression against 
all lines in your rules.  So, 

rule dsl2drl_1
when
  Get month summer
then
  Print months;
end

becomes

rule dsl2drl_1
when
  $month: Month(); summer
then
  Print months;
end

2.  The expander tries to match the second expression, and fails.

3.  The expander tries to match the third expression, and succeeds, leaving you 
with the following DRL.

rule dsl2drl_1
when
  $month: Month(); summer
then
  System.out.println("Month: " + $month.getId());;
end

Looking at the LHS of the rule, this will not compile.


Matt


  
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread Nestor Tarin Burriel

Yes, :(

Did you see some errors at the rule?

2009/7/22 Greg Barton 

>
>
> --- On Wed, 7/22/09, Nestor Tarin Burriel  wrote:
>
> > So I dont understand why my CEP rules never fires ...
>
> Ah, the eternal lament of the rules developer. :)
>
> Have you tried removing conditions until it does fire?
>
>
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread Greg Barton



--- On Wed, 7/22/09, Nestor Tarin Burriel  wrote:

> So I dont understand why my CEP rules never fires ...

Ah, the eternal lament of the rules developer. :)

Have you tried removing conditions until it does fire?  


  
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] optimization on a lot of simple rules

2009-07-22 Thread nesta


I am wrong, and I don't need to create new StatelessSession for every
request.


nesta wrote:
> 
> Hi Greg,
> Thanks for your help very much.
> I have to new StatelessKnowledgeSession for every request, and I test new
> StatelessKnowledgeSession in my machine. 
> It costs 310ms for 1000 times.
> 
> With insert, retract I can keep the StatefulKnowledgeSession instance.
> I will look into StatelessKnowledgeSession.
> Thanks very much again.
> 
> 在2009-07-21，"Greg Barton"  写道：
>>
>>There's no reason why you have to process all of your rules at once, or in
one way.  For instance, if the processing of this large set of "what's the
decision" rules depend on nothing else, there's no reason they can't be in
their own ruleset and processed separately in a  StatelessKnowledgeSession. 
The results can then be passed to the rest of the rules.  
>>
>>In addition, if you do have other rules, then your testing setup is
unrealistic. (i.e. throwing in one instance of each type, processing the
rules, then retracting them all.)  
>>
>>--- On Tue, 7/21/09, nesta  wrote:
>>
>>> From: nesta 
>>> Subject: Re: [rules-users] optimization on a lot of simple rules
>>> To: rules-users@lists.jboss.org
>>> Date: Tuesday, July 21, 2009, 12:44 AM
>>> 
>>> Agree, but I can't choose sequential mode for several
>>> reason.
>>> Sequential mode means StatelessKnowledgeSession.
>>> 1. every request needs to create a new session(working
>>> memory).
>>> 2. our ruleset has other rules.
>>> 3. with StatefulKnowledgeSession, some facts can be
>>> initialized before
>>> process the request.
>>> 4. Agenda is needed.
>>> 
>>> Thanks very much.
>>> 
>>> 
>>> Greg Barton wrote:
>>> > 
>>> > 
>>> > Well, if your rules are going to be that simple, have
>>> you tried sequential
>>> > mode?? If there's never any reaction to working
>>> memory changes you don't
>>> > need the rete network.? You should get much
>>> better performance out of that
>>> > ruleset, and others like it, in sequential mode.
>>> > 
>>> > See
>>> >
>>> http://downloads.jboss.com/drools/docs/5.0.1.26597.FINAL/drools-expert/html_single/index.html,
>>> > section "3.3.7.1. Sequential Mode"
>>> > 
>>> > In a nutshell, the rete network is used for tracking
>>> and reacting to
>>> > changes in the objects inserted into working memory.
>>> (i.e. a rule fires,
>>> > changes a WM object, then other rules may be eligible
>>> to fire based on
>>> > that change.) If you're not going to be using that
>>> functionality you'd be
>>> > constructing and maintaining the rete for no
>>> reason.? 
>>> > 
>>> > --- On Mon, 7/20/09, nesta 
>>> wrote:
>>> > 
>>> >> From: nesta 
>>> >> Subject: Re: [rules-users] optimization on a lot
>>> of simple rules
>>> >> To: rules-users@lists.jboss.org
>>> >> Date: Monday, July 20, 2009, 10:13 PM
>>> >> 
>>> >> I execute above test codes, with 100 rules running
>>> 1000
>>> >> times. In the same
>>> >> time, I profile the test codes.
>>> >> http://www.nabble.com/file/p24581025/profile.jpg 
>>> >> The profile result shows that some methods execute
>>> 100,000
>>> >> times.
>>> >> In test codes, 
>>> >> Service has two states, 0 or 1.
>>> >> Subscriber has two states, 0 or 1.
>>> >> 
>>> >> inserted facts:
>>> >> Product product = new Product(1, 1);
>>> >> Service service = new Service(1);
>>> >> Subscriber subscriber = new Subscriber(1);
>>> >> 
>>> >> Service matches a half of total rules, namely 50.
>>> So is
>>> >> Subscriber.
>>> >> (50 + 50 ) * 1000 (running times) = 100,000
>>> >> 
>>> >> I am confused what drools does. Is there a way to
>>> optimize
>>> >> it?
>>> >> 
>>> >> 
>>> >> Greg Barton wrote:
>>> >> > 
>>> >> > 
>>> >> > 1) Yes, if you eliminate joins in rules, you
>>> will have
>>> >> no joins in the
>>> >> > rete.? This is self evident.
>>> >> > 
>>> >> > 2) The way you have the rules structured,
>>> there is no
>>> >> relationship between
>>> >> > the joined objects.? This will cause what's
>>> >> called a "cartesian join"
>>> >> > where all combinations of all instances of
>>> each object
>>> >> type are
>>> >> > instantiated.? This can be very expensive,
>>> memory
>>> >> and CPU wise.? You've
>>> >> > stated that there are only one instance of
>>> each object
>>> >> type in working
>>> >> > memory, but are you absolutely sure of
>>> that??
>>> >> Cartesian joins can easily
>>> >> > cause performance problems quite quickly.
>>> >> > 
>>> >> > For instance, say you've got these objects in
>>> working
>>> >> memory:
>>> >> > 
>>> >> > Subscriber(gender="male")
>>> >> > Subscriber(gender="female")
>>> >> > Service(name="ftp")
>>> >> > Service(name="http")
>>> >> > Product(id=1)
>>> >> > Product(id=2)
>>> >> > Product(id=3)
>>> >> > 
>>> >> > After inserting a Decision into working
>>> memory, the
>>> >> rule will fire 2*2*3
>>> >> > times.? (#Subscribers * #Services *
>>> #Products)
>>> >> This is by design.? Is this
>>> >> > what you want?
>>> >> > 
>>> >> > 3) Do you really need the 'Subscriber(gender
>>> == "male"
>>> >> or "female")' term? 
>>> >>

Re: [rules-users] optimization on a lot of simple rules

2009-07-22 Thread nesta.fdb

Hi Greg,
Thanks for your help very much.
I have to new StatelessKnowledgeSession for every request, and I test new 
StatelessKnowledgeSession in my machine. 
It costs 310ms for 1000 times.

With insert, retract I can keep the StatefulKnowledgeSession instance.
I will look into StatelessKnowledgeSession.
Thanks very much again.

在2009-07-21，"Greg Barton"  写道：
>
>There's no reason why you have to process all of your rules at once, or in one 
>way.  For instance, if the processing of this large set of "what's the 
>decision" rules depend on nothing else, there's no reason they can't be in 
>their own ruleset and processed separately in a  StatelessKnowledgeSession.  
>The results can then be passed to the rest of the rules.  
>
>In addition, if you do have other rules, then your testing setup is 
>unrealistic. (i.e. throwing in one instance of each type, processing the 
>rules, then retracting them all.)  
>
>--- On Tue, 7/21/09, nesta  wrote:
>
>> From: nesta 
>> Subject: Re: [rules-users] optimization on a lot of simple rules
>> To: rules-users@lists.jboss.org
>> Date: Tuesday, July 21, 2009, 12:44 AM
>> 
>> Agree, but I can't choose sequential mode for several
>> reason.
>> Sequential mode means StatelessKnowledgeSession.
>> 1. every request needs to create a new session(working
>> memory).
>> 2. our ruleset has other rules.
>> 3. with StatefulKnowledgeSession, some facts can be
>> initialized before
>> process the request.
>> 4. Agenda is needed.
>> 
>> Thanks very much.
>> 
>> 
>> Greg Barton wrote:
>> > 
>> > 
>> > Well, if your rules are going to be that simple, have
>> you tried sequential
>> > mode?? If there's never any reaction to working
>> memory changes you don't
>> > need the rete network.? You should get much
>> better performance out of that
>> > ruleset, and others like it, in sequential mode.
>> > 
>> > See
>> > http://downloads.jboss.com/drools/docs/5.0.1.26597.FINAL/drools-expert/html_single/index.html,
>> > section "3.3.7.1. Sequential Mode"
>> > 
>> > In a nutshell, the rete network is used for tracking
>> and reacting to
>> > changes in the objects inserted into working memory.
>> (i.e. a rule fires,
>> > changes a WM object, then other rules may be eligible
>> to fire based on
>> > that change.) If you're not going to be using that
>> functionality you'd be
>> > constructing and maintaining the rete for no
>> reason.? 
>> > 
>> > --- On Mon, 7/20/09, nesta 
>> wrote:
>> > 
>> >> From: nesta 
>> >> Subject: Re: [rules-users] optimization on a lot
>> of simple rules
>> >> To: rules-users@lists.jboss.org
>> >> Date: Monday, July 20, 2009, 10:13 PM
>> >> 
>> >> I execute above test codes, with 100 rules running
>> 1000
>> >> times. In the same
>> >> time, I profile the test codes.
>> >> http://www.nabble.com/file/p24581025/profile.jpg 
>> >> The profile result shows that some methods execute
>> 100,000
>> >> times.
>> >> In test codes, 
>> >> Service has two states, 0 or 1.
>> >> Subscriber has two states, 0 or 1.
>> >> 
>> >> inserted facts:
>> >> Product product = new Product(1, 1);
>> >> Service service = new Service(1);
>> >> Subscriber subscriber = new Subscriber(1);
>> >> 
>> >> Service matches a half of total rules, namely 50.
>> So is
>> >> Subscriber.
>> >> (50 + 50 ) * 1000 (running times) = 100,000
>> >> 
>> >> I am confused what drools does. Is there a way to
>> optimize
>> >> it?
>> >> 
>> >> 
>> >> Greg Barton wrote:
>> >> > 
>> >> > 
>> >> > 1) Yes, if you eliminate joins in rules, you
>> will have
>> >> no joins in the
>> >> > rete.? This is self evident.
>> >> > 
>> >> > 2) The way you have the rules structured,
>> there is no
>> >> relationship between
>> >> > the joined objects.? This will cause what's
>> >> called a "cartesian join"
>> >> > where all combinations of all instances of
>> each object
>> >> type are
>> >> > instantiated.? This can be very expensive,
>> memory
>> >> and CPU wise.? You've
>> >> > stated that there are only one instance of
>> each object
>> >> type in working
>> >> > memory, but are you absolutely sure of
>> that??
>> >> Cartesian joins can easily
>> >> > cause performance problems quite quickly.
>> >> > 
>> >> > For instance, say you've got these objects in
>> working
>> >> memory:
>> >> > 
>> >> > Subscriber(gender="male")
>> >> > Subscriber(gender="female")
>> >> > Service(name="ftp")
>> >> > Service(name="http")
>> >> > Product(id=1)
>> >> > Product(id=2)
>> >> > Product(id=3)
>> >> > 
>> >> > After inserting a Decision into working
>> memory, the
>> >> rule will fire 2*2*3
>> >> > times.? (#Subscribers * #Services *
>> #Products)
>> >> This is by design.? Is this
>> >> > what you want?
>> >> > 
>> >> > 3) Do you really need the 'Subscriber(gender
>> == "male"
>> >> or "female")' term? 
>> >> > Why not just 'Subscriber()'?? Are you
>> classifying
>> >> transgendered or
>> >> > nonhuman subscribers in your system?
>> >> > 
>> >> > --- On Mon, 7/20/09, nesta 
>> >> wrote:
>> >> > 
>> >> >> From: nesta 
>> >> >> Subject: Re: [rules-users] op

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread Nestor Tarin Burriel

Hi again,

Here the info from my engine execution:

KnowledgeBaseConfiguration config =
KnowledgeBaseFactory.newKnowledgeBaseConfiguration();
config.setOption( EventProcessingOption.STREAM );

KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(config);
kbase.addKnowledgePackages(kbuilder.getKnowledgePackages());

SessionConfiguration sessionConf = new SessionConfiguration();
sessionConf.setClockType(ClockType.REALTIME_CLOCK);

ksession = kbase.newStatefulKnowledgeSession(
sessionConf, env);

An here the inserting method:
   ksession.getWorkingMemoryEntryPoint("Correlator").insert(fact);
   ksession.fireAllRules();

So I dont understand why my CEP rules never fires ...

Thanks again,

nestabur

2009/7/22 Nestor Tarin Burriel 

> Hi Edson,
>
> Thanks for the fix, but the problem still happens :(
>
> Here my complete .drl file:
>
> package Correlator
> global com.s2grupo.triton.global.Context Context
>
> declare Snort
> @role( event )
> icmp_code: String
> tcp_sport: String
> data: String
> sig_rev: String
> tcp_dport: String
> udp_sport: String
> hostname: String
> interface: String
> sig_priority: String
> icmp_type: String
> id: java.lang.Long
> sig_class_name: String
> ip_dst: String
> sig_name: String
> udp_dport: String
> ip_src: String
> event_date: java.util.Date
> end
>
> rule "SnortRule"
> salience 2
> dialect "mvel"
> when
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
> then
> System.out.println("** Snort Alert" +
> $s1.getData());
> retract($s1);
> end
>
>
> rule "SnortRuleRetract"
> salience 1
> dialect "mvel"
> when
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
> this after [0m,5m] $s1) from entry-point "Correlator"
> then
> retract($s2);
> System.out.println(" * Deleting Fact From WM");
> end
>
>
> rule "SnortRule0"
> salience 0
> dialect "mvel"
> when
> $s1 : Snort( this.sig_name != "(portscan) Open Port") from
> entry-point "Correlator"
> then
> System.out.println("* Snort Alert 0!!" + $s1.getData());
> end
>
> As you can see, I'm trying to correlate snort events with drools.
>
> With this scenario, the only rule that is firing is "SnortRule0"
>
> 2009/7/21 Edson Tirelli 
>
>>
>>Your rule is wrong, as you are defining 3 patterns and the second
>> pattern is looking for a fact in the main entry point, not your defined
>> "MyEntryPoint".
>>Fix it doing:
>>
>> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
>> [0m,5m] $s1) from entry-point "MyEntryPoint"
>>
>>[]s
>>Edson
>>
>> 2009/7/21 nestabur 
>>
>>
>>> Hi all,
>>>
>>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>>>
>>> The rule is:
>>> ===
>>> rule "RetractOlderFacts"
>>>dialect "mvel"
>>>when
>>>$s1 : MyModel( name != "aaa") from entry-point
>>> "MyEntryPoint"
>>>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
>>> and MyModel (
>>> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>>>then
>>>retract($s2);
>>>System.out.println(" * Retracting from WM");
>>> end
>>> ===
>>>
>>> The scenario is:
>>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another
>>> with same ip and different id after a period between 0 and 5 minutes the
>>> rule have to retract the last one and keep the first fact (the older
>>> one)"
>>>
>>> After receiving hundred and hundred of facts via JMS that may match with
>>> the
>>> rule condition, the rule never throws!
>>>
>>> is the rule correct?
>>> could the problem be at the rule engine implementation?
>>>
>>> Could anyone hel me please?
>>>
>>> Thanks in advance,
>>>
>>> nestabur
>>> --
>>> View this message in context:
>>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
>>> Sent from the drools - user mailing list archive at Nabble.com.
>>>
>>> ___
>>> rules-users mailing list
>>> rules-users@lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/rules-users
>>>
>>
>>
>> ___
>> rules-users mailing list
>> rules-users@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>>
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread Nestor Tarin Burriel

Hi Edson,

Thanks for the fix, but the problem still happens :(

Here my complete .drl file:

package Correlator
global com.s2grupo.triton.global.Context Context

declare Snort
@role( event )
icmp_code: String
tcp_sport: String
data: String
sig_rev: String
tcp_dport: String
udp_sport: String
hostname: String
interface: String
sig_priority: String
icmp_type: String
id: java.lang.Long
sig_class_name: String
ip_dst: String
sig_name: String
udp_dport: String
ip_src: String
event_date: java.util.Date
end

rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
then
System.out.println("** Snort Alert" +
$s1.getData());
retract($s1);
end


rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "Correlator"
then
retract($s2);
System.out.println(" * Deleting Fact From WM");
end


rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from
entry-point "Correlator"
then
System.out.println("* Snort Alert 0!!" + $s1.getData());
end

As you can see, I'm trying to correlate snort events with drools.

With this scenario, the only rule that is firing is "SnortRule0"

2009/7/21 Edson Tirelli 

>
>Your rule is wrong, as you are defining 3 patterns and the second
> pattern is looking for a fact in the main entry point, not your defined
> "MyEntryPoint".
>Fix it doing:
>
> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
> [0m,5m] $s1) from entry-point "MyEntryPoint"
>
>[]s
>Edson
>
> 2009/7/21 nestabur 
>
>
>> Hi all,
>>
>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>>
>> The rule is:
>> ===
>> rule "RetractOlderFacts"
>>dialect "mvel"
>>when
>>$s1 : MyModel( name != "aaa") from entry-point
>> "MyEntryPoint"
>>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
>> and MyModel (
>> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>>then
>>retract($s2);
>>System.out.println(" * Retracting from WM");
>> end
>> ===
>>
>> The scenario is:
>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another
>> with same ip and different id after a period between 0 and 5 minutes the
>> rule have to retract the last one and keep the first fact (the older one)"
>>
>> After receiving hundred and hundred of facts via JMS that may match with
>> the
>> rule condition, the rule never throws!
>>
>> is the rule correct?
>> could the problem be at the rule engine implementation?
>>
>> Could anyone hel me please?
>>
>> Thanks in advance,
>>
>> nestabur
>> --
>> View this message in context:
>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
>> Sent from the drools - user mailing list archive at Nabble.com.
>>
>> ___
>> rules-users mailing list
>> rules-users@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] CEP Rule Help Needed

2009-07-22 Thread Nestor Tarin Burriel

Hi Edson,

Thanks for the fix, but the problem still happens :(

Here my complete .drl file:

package ArgosCorrelator
global com.s2grupo.triton.global.Context Context

declare MyFact
@role( event )
id: java.lang.Long
ip: String

end

rule "Rule1"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"ArgosCorrelator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point
"ArgosCorrelator"
then
System.out.println("** Evento Snort Ejecutado" +
$s1.getData());
retract($s1);
end


rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"ArgosCorrelator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "ArgosCorrelator"
then
retract($s2);
System.out.println(" * Evento Snort Eliminado de la WM");
end


rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from
entry-point "ArgosCorrelator"
then
System.out.println("* Alerta Snort 0!!" + $s1.getData());
end


2009/7/21 Edson Tirelli 

>
>Your rule is wrong, as you are defining 3 patterns and the second
> pattern is looking for a fact in the main entry point, not your defined
> "MyEntryPoint".
>Fix it doing:
>
> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
> [0m,5m] $s1) from entry-point "MyEntryPoint"
>
>[]s
>Edson
>
> 2009/7/21 nestabur 
>
>
>> Hi all,
>>
>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>>
>> The rule is:
>> ===
>> rule "RetractOlderFacts"
>>dialect "mvel"
>>when
>>$s1 : MyModel( name != "aaa") from entry-point
>> "MyEntryPoint"
>>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
>> and MyModel (
>> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>>then
>>retract($s2);
>>System.out.println(" * Retracting from WM");
>> end
>> ===
>>
>> The scenario is:
>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another
>> with same ip and different id after a period between 0 and 5 minutes the
>> rule have to retract the last one and keep the first fact (the older one)"
>>
>> After receiving hundred and hundred of facts via JMS that may match with
>> the
>> rule condition, the rule never throws!
>>
>> is the rule correct?
>> could the problem be at the rule engine implementation?
>>
>> Could anyone hel me please?
>>
>> Thanks in advance,
>>
>> nestabur
>> --
>> View this message in context:
>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
>> Sent from the drools - user mailing list archive at Nabble.com.
>>
>> ___
>> rules-users mailing list
>> rules-users@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users

Re: [rules-users] CEP Rule Help Needed

Re: [rules-users] CEP Rule Help Needed

Re: [rules-users] CEP Rule Help Needed

Re: [rules-users] CEP Rule Help Needed

Re: [rules-users] CEP Rule Help Needed

[rules-users] Webguided decision table and nested objects

Re: [rules-users] DSL matching return wrong DRL

Re: [rules-users] CEP Rule Help Needed

Re: [rules-users] CEP Rule Help Needed

Re: [rules-users] optimization on a lot of simple rules

Re: [rules-users] optimization on a lot of simple rules

Re: [rules-users] CEP Rule Help Needed

Re: [rules-users] CEP Rule Help Needed

Re: [rules-users] CEP Rule Help Needed

14 matches

Site Navigation

Mail list logo

Footer information