Re: [rules-users] Webguided decision table and nested objects
Hi, just write this in the 'Field' box: address.street - sure, it's not perfect (the GUI doesn't let you go deeper and provide the proper fields to choose), but it's possible. Cheers, Jarek Wishing Carebear wrote: Hello: I have a facts objects with nested objects : example: Employee name Address street city Wondering if it is possible to use Webguided decision table at the nested object level (in the above example Address.street) Thanks, cabear ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements Event 1 comes in, then event 2 happens at leat 5 minutes later. If you use the second argument of after I think it would work: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point Correlator According to the docs this should check that (0m = $s2.startTimestamp - $s1.endTimeStamp = 5m). You could alternately use overlaps. Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point Correlator ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -Inline Attachment Follows- ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements Event 1 comes in, then event 2 happens at leat 5 minutes later. If you use the second argument of after I think it would work: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point Correlator According to the docs this should check that (0m = $s2.startTimestamp - $s1.endTimeStamp = 5m). You could alternately use overlaps. Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point Correlator ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -Inline Attachment Follows-
[rules-users] Problem when using multiple rule files (Drools 5)
Hey, i have a drl file with round about 100 rules. when i run this single file everything fine ! When i splip the file into two files and add them seperate into the ruleBase i get the following Exception during the inserting of the facts: java.lang.NullPointerException at org.drools.base.ClassFieldReader.isNullValue(ClassFieldReader.java:183) at org.drools.base.evaluators.EqualityEvaluatorsDefinition$IntegerEqualEvaluator.evaluate(EqualityEvaluatorsDefinition.java:1482) at org.drools.rule.LiteralRestriction.isAllowed(LiteralRestriction.java:92) at org.drools.rule.OrCompositeRestriction.isAllowed(OrCompositeRestriction.java:25) The code looks like this: RuleBase ruleBase = RuleBaseFactory.newRuleBase(); for (int i = 0; i rules.length; i++) { Package pkg = getPackage(i); ruleBase.addPackage(pkg); } for (int i = 0; i facts.length; i++) { Object fact = facts[i]; workingMemory.insert(fact); // Exception, when multiple rule files } Any ideas ? -- View this message in context: http://www.nabble.com/Problem-when-using-multiple-rule-files-%28Drools-5%29-tp24623347p24623347.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Problem when using multiple rule files (Drools 5)
On 7/23/09, Olaf Raether o.raet...@epro.de wrote: The code looks like this: RuleBase ruleBase = RuleBaseFactory.newRuleBase(); for (int i = 0; i rules.length; i++) { Package pkg = getPackage(i); ruleBase.addPackage(pkg); } I'd expect to find Package pkg = rules[i]; or similar in the loop. Anyway, this doesn't tell how the Package objects were created from your two rules files, which might be significant. Do you check for package build errors? -W for (int i = 0; i facts.length; i++) { Object fact = facts[i]; workingMemory.insert(fact); // Exception, when multiple rule files } ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Problem when using multiple rule files (Drools 5)
I create *.pkg file with the following app: -- import java.io.File; import java.io.FileOutputStream; import java.io.InputStreamReader; import java.io.ObjectOutputStream; import java.net.URL; import org.drools.RuleBase; import org.drools.RuleBaseFactory; import org.drools.WorkingMemory; import org.drools.rule.Package; import org.drools.compiler.PackageBuilder; public class DroolsPackageWriter { String[] fileNames = { rulefile1, rulefile2}; public void readWritePackages() { for(int i = 0; i fileNames.length; i++) { try { RuleBase ruleBase = RuleBaseFactory.newRuleBase(); PackageBuilder builder = new PackageBuilder(); String ruleFile = fileNames[i] + .drl; System.out.println(Lese:+ ruleFile); builder.addPackageFromDrl(new InputStreamReader(DroolsPackageWriter.class.getResourceAsStream(ruleFile))); Package pkg = builder.getPackage(); ruleBase.addPackage(pkg); WorkingMemory workingMemory = ruleBase.newStatefulSession(); workingMemory.fireAllRules(); URL url = DroolsPackageWriter.class.getResource(ruleFile); String file = url.getPath().replaceAll(%20, ).replaceAll(.drl, .pkg); File f = new File(file); pkg.writeExternal(new ObjectOutputStream(new FileOutputStream(f))); System.out.println(geschrieben:+ file); } catch(Exception ex) { ex.printStackTrace(); } } } /** * @param args */ public static void main(String[] args) { DroolsPackageWriter dpw = new DroolsPackageWriter(); dpw.readWritePackages(); } } -- I the app where i read the *.pkg files the code looks like this: --- String[] rules = new String[]{rule1.pkg,rule2.pkg }; RuleBase ruleBase = RuleBaseFactory.newRuleBase(); for (int i = 0; i rules.length; i++) { String ruleFile = rules[i]; log.debug(Loading file: + ruleFile); pkg = new Package(); pkg.readExternal(new ObjectInputStream(this.getClass().getResourceAsStream(ruleFile))); ruleBase.addPackage(pkg); } WorkingMemory workingMemory = ruleBase.newStatefulSession(); setGlobals(workingMemory); Object[] facts = { /* anything you want */}; for (int i = 0; i facts.length; i++) { Object fact = facts[i]; log.debug(Inserting fact: + fact); try { workingMemory.insert(fact); } catch(NullPointerException npe) { System.out.println(NPE bei Fact:+fact); npe.printStackTrace(); } } workingMemory.fireAllRules(); log.debug(END: runRules()); } --- Hope this helps - to help me ! Wolfgang Laun-2 wrote: On 7/23/09, Olaf Raether o.raet...@epro.de wrote: The code looks like this: RuleBase ruleBase = RuleBaseFactory.newRuleBase(); for (int i = 0; i rules.length; i++) { Package pkg = getPackage(i); ruleBase.addPackage(pkg); } I'd expect to find Package pkg = rules[i]; or similar in the loop. Anyway, this doesn't tell how the Package objects were created from your two rules files, which might be significant. Do you check for package build errors? -W for (int i = 0; i facts.length; i++) { Object fact = facts[i]; workingMemory.insert(fact); // Exception, when multiple rule files } ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -- View this message in context: http://www.nabble.com/Problem-when-using-multiple-rule-files-%28Drools-5%29-tp24623347p24623763.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Problem when using multiple rule files (Drools 5)
Consider adapting to the new API using KnowledgeBuilder etc. You can use a ObjectOutput/InputStream with write/readObject on CollectionKnowledgePackage, which simplifies matters somewhat. See below, two remarks. On 7/23/09, Olaf Raether o.raet...@epro.de wrote: I create *.pkg file with the following app: -- import java.io.File; import java.io.FileOutputStream; import java.io.InputStreamReader; import java.io.ObjectOutputStream; import java.net.URL; import org.drools.RuleBase; import org.drools.RuleBaseFactory; import org.drools.WorkingMemory; import org.drools.rule.Package; import org.drools.compiler.PackageBuilder; public class DroolsPackageWriter { String[] fileNames = { rulefile1, rulefile2}; public void readWritePackages() { for(int i = 0; i fileNames.length; i++) { try { RuleBase ruleBase = RuleBaseFactory.newRuleBase(); PackageBuilder builder = new PackageBuilder(); String ruleFile = fileNames[i] + .drl; System.out.println(Lese:+ ruleFile); builder.addPackageFromDrl(new InputStreamReader(DroolsPackageWriter.class.getResourceAsStream(ruleFile))); Here, call builder.getErrors() or at least builder.hasErrors() and check the result. Package pkg = builder.getPackage(); ruleBase.addPackage(pkg); WorkingMemory workingMemory = ruleBase.newStatefulSession(); workingMemory.fireAllRules(); URL url = DroolsPackageWriter.class.getResource(ruleFile); String file = url.getPath().replaceAll(%20, ).replaceAll(.drl, .pkg); File f = new File(file); pkg.writeExternal(new ObjectOutputStream(new FileOutputStream(f))); System.out.println(geschrieben:+ file); } catch(Exception ex) { ex.printStackTrace(); } } } /** * @param args */ public static void main(String[] args) { DroolsPackageWriter dpw = new DroolsPackageWriter(); dpw.readWritePackages(); } } -- I the app where i read the *.pkg files the code looks like this: --- String[] rules = new String[]{rule1.pkg,rule2.pkg }; Above, we had rulefile1, rulefile2? RuleBase ruleBase = RuleBaseFactory.newRuleBase(); for (int i = 0; i rules.length; i++) { String ruleFile = rules[i]; log.debug(Loading file: + ruleFile); pkg = new Package(); pkg.readExternal(new ObjectInputStream(this.getClass().getResourceAsStream(ruleFile))); ruleBase.addPackage(pkg); } WorkingMemory workingMemory = ruleBase.newStatefulSession(); setGlobals(workingMemory); Object[] facts = { /* anything you want */}; for (int i = 0; i facts.length; i++) { Object fact = facts[i]; log.debug(Inserting fact: + fact); try { workingMemory.insert(fact); } catch(NullPointerException npe) { System.out.println(NPE bei Fact:+fact); npe.printStackTrace(); } } workingMemory.fireAllRules(); log.debug(END: runRules()); } --- Hope this helps - to help me ! Wolfgang Laun-2 wrote: On 7/23/09, Olaf Raether o.raet...@epro.de wrote: The code looks like this: RuleBase ruleBase = RuleBaseFactory.newRuleBase(); for (int i = 0; i rules.length; i++) { Package pkg = getPackage(i); ruleBase.addPackage(pkg); } I'd expect to find Package pkg = rules[i]; or similar in the loop. Anyway, this doesn't tell how the Package objects were created from your two rules files, which might be significant. Do you check for package build errors? -W for (int i = 0; i facts.length; i++) { Object fact = facts[i]; workingMemory.insert(fact); // Exception, when multiple rule files } ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -- View this message in context: http://www.nabble.com/Problem-when-using-multiple-rule-files-%28Drools-5%29-tp24623347p24623763.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list
Re: [rules-users] CEP Rule Help Needed
Hi Find attached working example for CEP rule with the scenario you stated. Here I used Psuedo clock. Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements Event 1 comes in, then event 2 happens at leat 5 minutes later. If you use the second argument of after I think it would work: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point Correlator According to the docs this should check that (0m = $s2.startTimestamp - $s1.endTimeStamp = 5m). You could alternately use overlaps. Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point Correlator
Re: [rules-users] Problem when using multiple rule files (Drools 5)
Thanks so far - i will change the api calls and post my results. -- View this message in context: http://www.nabble.com/Problem-when-using-multiple-rule-files-%28Drools-5%29-tp24623347p24626080.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says: ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan nash.8...@gmail.com Hi Find attached working example for CEP rule with the scenario you stated. Here I used Psuedo clock. Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements
Re: [rules-users] CEP Rule Help Needed
So do you mean this didn't work: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a); ...but this did? myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); --- On Thu, 7/23/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Thursday, July 23, 2009, 9:47 AM Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says: ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan nash.8...@gmail.com Hi Find attached working example for CEP rule with the scenario you stated.Here I used Psuedo clock.Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound
Re: [rules-users] CEP Rule Help Needed
In my case yes... 2009/7/23 Greg Barton greg_bar...@yahoo.com So do you mean this didn't work: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a); ...but this did? myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); --- On Thu, 7/23/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Thursday, July 23, 2009, 9:47 AM Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says: ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan nash.8...@gmail.com Hi Find attached working example for CEP rule with the scenario you stated.Here I used Psuedo clock.Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have