Re: [rules-users] Webguided decision table and nested objects
Hi, just write this in the 'Field' box: address.street - sure, it's not perfect (the GUI doesn't let you go deeper and provide the proper fields to choose), but it's possible. Cheers, Jarek Wishing Carebear wrote: Hello: I have a facts objects with nested objects : example: Employee name Address street city Wondering if it is possible to use Webguided decision table at the nested object level (in the above example Address.street) Thanks, cabear ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements Event 1 comes in, then event 2 happens at leat 5 minutes later. If you use the second argument of after I think it would work: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point Correlator According to the docs this should check that (0m = $s2.startTimestamp - $s1.endTimeStamp = 5m). You could alternately use overlaps. Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point Correlator ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -Inline Attachment Follows- ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements Event 1 comes in, then event 2 happens at leat 5 minutes later. If you use the second argument of after I think it would work: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point Correlator According to the docs this should check that (0m = $s2.startTimestamp - $s1.endTimeStamp = 5m). You could alternately use overlaps. Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point Correlator ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -Inline Attachment Follows-
[rules-users] Problem when using multiple rule files (Drools 5)
Hey,
i have a drl file with round about 100 rules. when i run this single file
everything fine !
When i splip the file into two files and add them seperate into the ruleBase
i get the following Exception
during the inserting of the facts:
java.lang.NullPointerException
at org.drools.base.ClassFieldReader.isNullValue(ClassFieldReader.java:183)
at
org.drools.base.evaluators.EqualityEvaluatorsDefinition$IntegerEqualEvaluator.evaluate(EqualityEvaluatorsDefinition.java:1482)
at
org.drools.rule.LiteralRestriction.isAllowed(LiteralRestriction.java:92)
at
org.drools.rule.OrCompositeRestriction.isAllowed(OrCompositeRestriction.java:25)
The code looks like this:
RuleBase ruleBase = RuleBaseFactory.newRuleBase();
for (int i = 0; i rules.length; i++) {
Package pkg = getPackage(i);
ruleBase.addPackage(pkg);
}
for (int i = 0; i facts.length; i++) {
Object fact = facts[i];
workingMemory.insert(fact); // Exception, when multiple rule
files
}
Any ideas ?
--
View this message in context:
http://www.nabble.com/Problem-when-using-multiple-rule-files-%28Drools-5%29-tp24623347p24623347.html
Sent from the drools - user mailing list archive at Nabble.com.
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Problem when using multiple rule files (Drools 5)
On 7/23/09, Olaf Raether o.raet...@epro.de wrote:
The code looks like this:
RuleBase ruleBase = RuleBaseFactory.newRuleBase();
for (int i = 0; i rules.length; i++) {
Package pkg = getPackage(i);
ruleBase.addPackage(pkg);
}
I'd expect to find Package pkg = rules[i]; or similar in the loop.
Anyway, this doesn't tell how the Package objects were created from your two
rules files, which might be significant.
Do you check for package build errors?
-W
for (int i = 0; i facts.length; i++) {
Object fact = facts[i];
workingMemory.insert(fact); // Exception, when multiple rule
files
}
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Problem when using multiple rule files (Drools 5)
I create *.pkg file with the following app:
--
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStreamReader;
import java.io.ObjectOutputStream;
import java.net.URL;
import org.drools.RuleBase;
import org.drools.RuleBaseFactory;
import org.drools.WorkingMemory;
import org.drools.rule.Package;
import org.drools.compiler.PackageBuilder;
public class DroolsPackageWriter {
String[] fileNames = { rulefile1, rulefile2};
public void readWritePackages() {
for(int i = 0; i fileNames.length; i++) {
try {
RuleBase ruleBase = RuleBaseFactory.newRuleBase();
PackageBuilder builder = new PackageBuilder();
String ruleFile = fileNames[i] + .drl;
System.out.println(Lese:+ ruleFile);
builder.addPackageFromDrl(new
InputStreamReader(DroolsPackageWriter.class.getResourceAsStream(ruleFile)));
Package pkg = builder.getPackage();
ruleBase.addPackage(pkg);
WorkingMemory workingMemory = ruleBase.newStatefulSession();
workingMemory.fireAllRules();
URL url = DroolsPackageWriter.class.getResource(ruleFile);
String file = url.getPath().replaceAll(%20,
).replaceAll(.drl,
.pkg);
File f = new File(file);
pkg.writeExternal(new ObjectOutputStream(new
FileOutputStream(f)));
System.out.println(geschrieben:+ file);
}
catch(Exception ex) {
ex.printStackTrace();
}
}
}
/**
* @param args
*/
public static void main(String[] args) {
DroolsPackageWriter dpw = new DroolsPackageWriter();
dpw.readWritePackages();
}
}
--
I the app where i read the *.pkg files the code looks like this:
---
String[] rules = new String[]{rule1.pkg,rule2.pkg };
RuleBase ruleBase = RuleBaseFactory.newRuleBase();
for (int i = 0; i rules.length; i++) {
String ruleFile = rules[i];
log.debug(Loading file: + ruleFile);
pkg = new Package();
pkg.readExternal(new
ObjectInputStream(this.getClass().getResourceAsStream(ruleFile)));
ruleBase.addPackage(pkg);
}
WorkingMemory workingMemory = ruleBase.newStatefulSession();
setGlobals(workingMemory);
Object[] facts = { /* anything you want */};
for (int i = 0; i facts.length; i++) {
Object fact = facts[i];
log.debug(Inserting fact: + fact);
try {
workingMemory.insert(fact);
} catch(NullPointerException npe) {
System.out.println(NPE bei Fact:+fact);
npe.printStackTrace();
}
}
workingMemory.fireAllRules();
log.debug(END: runRules());
}
---
Hope this helps - to help me !
Wolfgang Laun-2 wrote:
On 7/23/09, Olaf Raether o.raet...@epro.de wrote:
The code looks like this:
RuleBase ruleBase = RuleBaseFactory.newRuleBase();
for (int i = 0; i rules.length; i++) {
Package pkg = getPackage(i);
ruleBase.addPackage(pkg);
}
I'd expect to find Package pkg = rules[i]; or similar in the loop.
Anyway, this doesn't tell how the Package objects were created from your
two
rules files, which might be significant.
Do you check for package build errors?
-W
for (int i = 0; i facts.length; i++) {
Object fact = facts[i];
workingMemory.insert(fact); // Exception, when multiple
rule
files
}
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
--
View this message in context:
http://www.nabble.com/Problem-when-using-multiple-rule-files-%28Drools-5%29-tp24623347p24623763.html
Sent from the drools - user mailing list archive at Nabble.com.
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Problem when using multiple rule files (Drools 5)
Consider adapting to the new API using KnowledgeBuilder etc. You can use a
ObjectOutput/InputStream with write/readObject on
CollectionKnowledgePackage, which simplifies matters somewhat.
See below, two remarks.
On 7/23/09, Olaf Raether o.raet...@epro.de wrote:
I create *.pkg file with the following app:
--
import java.io.File;
import java.io.FileOutputStream;
import java.io.InputStreamReader;
import java.io.ObjectOutputStream;
import java.net.URL;
import org.drools.RuleBase;
import org.drools.RuleBaseFactory;
import org.drools.WorkingMemory;
import org.drools.rule.Package;
import org.drools.compiler.PackageBuilder;
public class DroolsPackageWriter {
String[] fileNames = { rulefile1, rulefile2};
public void readWritePackages() {
for(int i = 0; i fileNames.length; i++) {
try {
RuleBase ruleBase = RuleBaseFactory.newRuleBase();
PackageBuilder builder = new PackageBuilder();
String ruleFile = fileNames[i] + .drl;
System.out.println(Lese:+ ruleFile);
builder.addPackageFromDrl(new
InputStreamReader(DroolsPackageWriter.class.getResourceAsStream(ruleFile)));
Here, call builder.getErrors() or at least builder.hasErrors() and check the
result.
Package pkg = builder.getPackage();
ruleBase.addPackage(pkg);
WorkingMemory workingMemory =
ruleBase.newStatefulSession();
workingMemory.fireAllRules();
URL url =
DroolsPackageWriter.class.getResource(ruleFile);
String file = url.getPath().replaceAll(%20,
).replaceAll(.drl,
.pkg);
File f = new File(file);
pkg.writeExternal(new ObjectOutputStream(new
FileOutputStream(f)));
System.out.println(geschrieben:+ file);
}
catch(Exception ex) {
ex.printStackTrace();
}
}
}
/**
* @param args
*/
public static void main(String[] args) {
DroolsPackageWriter dpw = new DroolsPackageWriter();
dpw.readWritePackages();
}
}
--
I the app where i read the *.pkg files the code looks like this:
---
String[] rules = new String[]{rule1.pkg,rule2.pkg };
Above, we had rulefile1, rulefile2?
RuleBase ruleBase = RuleBaseFactory.newRuleBase();
for (int i = 0; i rules.length; i++) {
String ruleFile = rules[i];
log.debug(Loading file: + ruleFile);
pkg = new Package();
pkg.readExternal(new
ObjectInputStream(this.getClass().getResourceAsStream(ruleFile)));
ruleBase.addPackage(pkg);
}
WorkingMemory workingMemory = ruleBase.newStatefulSession();
setGlobals(workingMemory);
Object[] facts = { /* anything you want */};
for (int i = 0; i facts.length; i++) {
Object fact = facts[i];
log.debug(Inserting fact: + fact);
try {
workingMemory.insert(fact);
} catch(NullPointerException npe) {
System.out.println(NPE bei Fact:+fact);
npe.printStackTrace();
}
}
workingMemory.fireAllRules();
log.debug(END: runRules());
}
---
Hope this helps - to help me !
Wolfgang Laun-2 wrote:
On 7/23/09, Olaf Raether o.raet...@epro.de wrote:
The code looks like this:
RuleBase ruleBase = RuleBaseFactory.newRuleBase();
for (int i = 0; i rules.length; i++) {
Package pkg = getPackage(i);
ruleBase.addPackage(pkg);
}
I'd expect to find Package pkg = rules[i]; or similar in the loop.
Anyway, this doesn't tell how the Package objects were created from your
two
rules files, which might be significant.
Do you check for package build errors?
-W
for (int i = 0; i facts.length; i++) {
Object fact = facts[i];
workingMemory.insert(fact); // Exception, when multiple
rule
files
}
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
--
View this message in context:
http://www.nabble.com/Problem-when-using-multiple-rule-files-%28Drools-5%29-tp24623347p24623763.html
Sent from the drools - user mailing list archive at Nabble.com.
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
___
rules-users mailing list
Re: [rules-users] CEP Rule Help Needed
Hi Find attached working example for CEP rule with the scenario you stated. Here I used Psuedo clock. Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements Event 1 comes in, then event 2 happens at leat 5 minutes later. If you use the second argument of after I think it would work: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point Correlator According to the docs this should check that (0m = $s2.startTimestamp - $s1.endTimeStamp = 5m). You could alternately use overlaps. Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point Correlator
Re: [rules-users] Problem when using multiple rule files (Drools 5)
Thanks so far - i will change the api calls and post my results. -- View this message in context: http://www.nabble.com/Problem-when-using-multiple-rule-files-%28Drools-5%29-tp24623347p24626080.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says: ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan nash.8...@gmail.com Hi Find attached working example for CEP rule with the scenario you stated. Here I used Psuedo clock. Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements
Re: [rules-users] CEP Rule Help Needed
So do you mean this didn't work: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a); ...but this did? myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); --- On Thu, 7/23/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Thursday, July 23, 2009, 9:47 AM Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says: ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan nash.8...@gmail.com Hi Find attached working example for CEP rule with the scenario you stated.Here I used Psuedo clock.Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound
Re: [rules-users] CEP Rule Help Needed
In my case yes... 2009/7/23 Greg Barton greg_bar...@yahoo.com So do you mean this didn't work: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a); ...but this did? myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); --- On Thu, 7/23/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Thursday, July 23, 2009, 9:47 AM Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says: ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan nash.8...@gmail.com Hi Find attached working example for CEP rule with the scenario you stated.Here I used Psuedo clock.Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have
