Re: [rules-users] dynamic temporal parameters
Try using DSL: [when]temporal EventB=EventB() [when]temporal EventA=EventA() [when]-after {period:[0-9]+} EventB=this after[{period}d] $eventB 2009/11/17 Mark Proctor mproc...@codehaus.org Ming Fang wrote: Is it possible to make temporal parameters dynamic by using bound variables? Example: EventA( this after[ $later ] $eventB) Currently, no. Mark --ming ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Maintaining DB/Working Memory Synchronization
So, Do you mean that for serializing the state of a StatefulKnowledgeSession we must include our rules into a ruleflow? How do you upgrade your KnowledgeBase without loosing the WM state? Please check this issues: https://jira.jboss.org/jira/browse/JBRULES-1946 https://jira.jboss.org/jira/browse/JBRULES-2278 Nestor 2009/11/7 Andrew Waterman andrew.water...@gmail.com It can depend on how you want to use working memory as well. If you are working statelessly, you can load objects through some type of transactional framework, insert them into memory (or the ones relevant to you at that moment in time) let Drools evaluate the objects, make changes and then serialize those changes once rules have stopped firing. I do something like this using EJB and JPA. I've been interested in pushing this into the rules themselves; which I believe is now possible using the JPA support within Drools flow. This might work much better if you were using statefull and long running working memory process. Even in the event of catastrophic failure, your transactionally serialized changes would still remain in the database. So you could restart and pick up work from where you were last. You may wish to take a look at the following blog entries: http://blog.athico.com/2009/03/drools-50-cr1-new-and-noteworthy.html And the Drools flow documentation. I'm hoping to move our work in this direction so please do pass on your results; unless I'm completely misunderstanding how one can use flow, expert and JPA together with transactions. best wishes, Andrew On Sat, Nov 7, 2009 at 9:23 AM, ken.p ken.annihilat...@gmail.com wrote: I am also looking similar feature. We can currently use AOP to send event to stream. However, we have events with relevant duration for days and some time weeks. If server were to restart for maintenance, how do we restore to the same state? Daniel Miller-9 wrote: So I hope that someone out here, or many of you, can give me some idea of how you do this. I have about 20+ entities in my database that I want Drools to know about. Obviously my hope is to apply CEP, rules and processes to these items. However, I feel like I'm missing some type of connection between how Drools recommends keeping my working memory in sync with my database changes. Ideally, I'd love to be able to just update my entities as I have been doing in the database, but have those changes automatically move their way over into the working memory. How do any of you recommend I accomplish this? Thanks in advance for any suggestions. Dan Miller ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -- View this message in context: http://old.nabble.com/Maintaining-DB-Working-Memory-Synchronization-tp26238313p26241138.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -- +1 510 342 5693 PO Box 7775 #8750 San Francisco, California 94120-7775 Warning: following standard input indefinitely is ineffective - /bin/tail error message Against logic there is no armor like ignorance. - Laurence J. Pete ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Serialization of the StatefullKnowledgeSession
Hi Nair I tried this (see the last comment): https://jira.jboss.org/jira/browse/JBRULES-1946 The issue is closed, but it still throw me that exception. Try it and check if it works in your enviroment and feed me back please! Cheers, Nestor 2009/10/30 Nair, Mahesh mahesh.n...@qwest.com Hi, I am trying to implement one drools rule flow based feature to my application. My application consists of a struts2 application as well as a rcp desktop application as its client. We are using satefullKnowledgeSession which we want to keep around in the Http Session because it will be used by multiple requests during a user session. But the StateFullKnowledgeSession is not serilaizable and hence if I keep it in my http session it will affect the session replication. I am sure some of you have already faced this issue so was interested to know so of the approaches you took to overcome this hurdle. One of the approaches we are thinking about is to use the org.drools.marshalling.Marshaller to do the marshalling and get a byte array output and place it inside the session and umarshall that later. Is this a valid approach? Thanks mahesh -- This communication is the property of Qwest and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] sliding time in lhs
Did you try setting the attribute @expires(1d) ? 2009/8/31 Francesco Chiarelli chiarelli.france...@gmail.com Hi! i'm new to use a drools-fusion, i've a next lhs condition in rule: $o: Order(status!=EU_C_R1_INIT) SystemConfig(value:value) from hbnSession.createQuery(from SystemConfig where name=:name).setString(name,nRicMax).uniqueResult() $nRic : Number(intValue value) from accumulate($n: Order(this==$o) over window:time(1d),count($n)) Data: 1) Order 1 date 28 aug 2009 EU_C_INIT 2) Order 1 date 31 aug 2009 EU_A_INIT 3) Order 1 date 31 aug 2009 EU_B_INIT 4) Order 1 date 30 aug 2009 EU_B_INIT 5) Order 1 date 28 aug 2009 EU_A_INIT 6) Order 1 date 01 aug 2009 EU_A_INIT 7) Order 1 date 28 aug 2009 EU_C_INIT 8) Order 1 date 28 aug 2009 EU_C_INIT Only the first condition is verified [ Order(status!=EU_C_R1_INIT) ] altough there are facts that verify Order(this==$o) over window:time(24h) ] There are n-k facts that don't verify a previous condition but them come count also: I espect that drools count a 2-3-4 but it count also 5-6-7: i'm confused P.S. i did set a stream mode, i' had set a timestamp attribute in event fact @timestamp(myTimestampLong), i tried with pseudo clock (making it advance for new Date().getTime() or at origin, therefore 01 jan 1970 [without event @timestamp attribute] ) Regards Francesco ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Adding rules at runtime
Hi Justin, Try this: KnowledgeBuilder kbuilder = KnowledgeBuilderFactory.newKnowledgeBuilder(); Resource resource = ResourceFactory.newClassPathResource(MyDrl.drl, MyClass.class); kbuilder.add(resource, ResourceType.DRL); KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(); kbase.addKnowledgePackages(kbuilder.getKnowledgePackages()); Hope to help, Nestor 2009/8/27 Justin King justin.matthew.k...@gmail.com Anyone at all? I still haven't found a way to do this. On Tue, Aug 25, 2009 at 11:03 AM, Justin King justin.matthew.k...@gmail.com wrote: Hi Everyone, I found an old example that shows how to add a rule at runtime: function void addRule(String pkgName, String rule, RuleBase ruleBase ) { PackageBuilder builder = new PackageBuilder(); builder.addPackgeFromDrl( new StringReader( rule ) ); ruleBase.addPackage ( builder.addPackage() ); } I'm trying to do a similar thing with Drools 5 but things seem to have changed. What I want is to add a rule (just as a string) to an already existing set of rules I've loaded from a drl file (the new rule does not have to be saved to the actual file though). I see KnowledgeBase has a remove rule method but no add rule. I should also note that the set of rules I wish to add to is already executing (as in I've called *fireUntilHalt()*) I hope this wont make a difference. Thanks in advance for any help, this mailing list saves me every time! Cheers, Justin ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements Event 1 comes in, then event 2 happens at leat 5 minutes later. If you use the second argument of after I think it would work: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point Correlator According to the docs this should check that (0m = $s2.startTimestamp - $s1.endTimeStamp = 5m). You could alternately use overlaps. Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point Correlator ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -Inline Attachment Follows- ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements Event 1 comes in, then event 2 happens at leat 5 minutes later. If you use the second argument of after I think it would work: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point Correlator According to the docs this should check that (0m = $s2.startTimestamp - $s1.endTimeStamp = 5m). You could alternately use overlaps. Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point Correlator ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users -Inline Attachment Follows
Re: [rules-users] CEP Rule Help Needed
Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says: ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan nash.8...@gmail.com Hi Find attached working example for CEP rule with the scenario you stated. Here I used Psuedo clock. Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements
Re: [rules-users] CEP Rule Help Needed
In my case yes... 2009/7/23 Greg Barton greg_bar...@yahoo.com So do you mean this didn't work: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a); ...but this did? myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); --- On Thu, 7/23/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Thursday, July 23, 2009, 9:47 AM Finally I've solved my problem. It was in the engine: Looking the doc, for inserting a new fact into a stream of the working memory says: ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(); Which is perfect but not for my enviroment ;), I was inserting the events in differents WM cause in each one I did ksession.getWorkingMemoryEntryPoint(MyEntryPoint).insert(myFact); so I solved it doing: myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); I dont know if this is the correct use of EntryPoints bu it works! Thanks to everybody especially Greg and Priya :) 2009/7/23 PriyaKathan nash.8...@gmail.com Hi Find attached working example for CEP rule with the scenario you stated.Here I used Psuedo clock.Hope this would help you to understand better. Regards, Priya 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Hi again Greg, I've tried your suggestion and it seems like the facts that is the rule checking are the same. This is my last try: rule SnortRuleRetract dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) then retract($s2); System.out.println( * Deleting from WM); end And is never fired ... There are no more rules in the package, this is the only one ... so I don't understand anything ... could be the error in the engine? I dont retract any fact ... as you can see in my code ... NEStor 2009/7/23 Nestor Tarin Burriel nesta...@gmail.com Yes, that is the purpose ;) I will try ;) Thanks 4 your help 2009/7/22 Greg Barton greg_bar...@yahoo.com Ah, overlooked that second rule. Have you tried the overlap operator? So, just to clarify, the purpose of the two rules should be: SnortRule: If two Snort events that are not port scans of an open port on the same destination arrive more than 5 minutes apart, delete the earlier one. SnortRuleRetract: If two Snort events that are not port scans of an open port on any two destinations arrive within 5 minutes of each other, delete the earlier one. Have you tried removing the temporal operators completely, just for testing purposes? What happens? i.e. TimelessSnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst) from entry-point Correlator TimelessSnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have
Re: [rules-users] CEP Rule Help Needed
Hi Edson, Thanks for the fix, but the problem still happens :( Here my complete .drl file: package ArgosCorrelator global com.s2grupo.triton.global.Context Context declare MyFact @role( event ) id: java.lang.Long ip: String end rule Rule1 salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point ArgosCorrelator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point ArgosCorrelator then System.out.println(** Evento Snort Ejecutado + $s1.getData()); retract($s1); end rule SnortRuleRetract salience 1 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point ArgosCorrelator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point ArgosCorrelator then retract($s2); System.out.println( * Evento Snort Eliminado de la WM); end rule SnortRule0 salience 0 dialect mvel when $s1 : Snort( this.sig_name != (portscan) Open Port) from entry-point ArgosCorrelator then System.out.println(* Alerta Snort 0!! + $s1.getData()); end 2009/7/21 Edson Tirelli tire...@post.com Your rule is wrong, as you are defining 3 patterns and the second pattern is looking for a fact in the main entry point, not your defined MyEntryPoint. Fix it doing: $s2 : MyModel ( name != aaa , id != $s1.id, ip == $s1, this after [0m,5m] $s1) from entry-point MyEntryPoint []s Edson 2009/7/21 nestabur nesta...@gmail.com Hi all, I'm getting crazy trying to create a CEP rule in droos 5.0.1 :( The rule is: === rule RetractOlderFacts dialect mvel when $s1 : MyModel( name != aaa) from entry-point MyEntryPoint $s2 : MyModel ( name != aaa , id != $s1.id, ip == $s1) and MyModel ( this after [0m,5m] $s1) from entry-point MyEntryPoint then retract($s2); System.out.println( * Retracting from WM); end === The scenario is: After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one) After receiving hundred and hundred of facts via JMS that may match with the rule condition, the rule never throws! is the rule correct? could the problem be at the rule engine implementation? Could anyone hel me please? Thanks in advance, nestabur -- View this message in context: http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi Edson, Thanks for the fix, but the problem still happens :( Here my complete .drl file: package Correlator global com.s2grupo.triton.global.Context Context declare Snort @role( event ) icmp_code: String tcp_sport: String data: String sig_rev: String tcp_dport: String udp_sport: String hostname: String interface: String sig_priority: String icmp_type: String id: java.lang.Long sig_class_name: String ip_dst: String sig_name: String udp_dport: String ip_src: String event_date: java.util.Date end rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end rule SnortRuleRetract salience 1 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator then retract($s2); System.out.println( * Deleting Fact From WM); end rule SnortRule0 salience 0 dialect mvel when $s1 : Snort( this.sig_name != (portscan) Open Port) from entry-point Correlator then System.out.println(* Snort Alert 0!! + $s1.getData()); end As you can see, I'm trying to correlate snort events with drools. With this scenario, the only rule that is firing is SnortRule0 2009/7/21 Edson Tirelli tire...@post.com Your rule is wrong, as you are defining 3 patterns and the second pattern is looking for a fact in the main entry point, not your defined MyEntryPoint. Fix it doing: $s2 : MyModel ( name != aaa , id != $s1.id, ip == $s1, this after [0m,5m] $s1) from entry-point MyEntryPoint []s Edson 2009/7/21 nestabur nesta...@gmail.com Hi all, I'm getting crazy trying to create a CEP rule in droos 5.0.1 :( The rule is: === rule RetractOlderFacts dialect mvel when $s1 : MyModel( name != aaa) from entry-point MyEntryPoint $s2 : MyModel ( name != aaa , id != $s1.id, ip == $s1) and MyModel ( this after [0m,5m] $s1) from entry-point MyEntryPoint then retract($s2); System.out.println( * Retracting from WM); end === The scenario is: After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one) After receiving hundred and hundred of facts via JMS that may match with the rule condition, the rule never throws! is the rule correct? could the problem be at the rule engine implementation? Could anyone hel me please? Thanks in advance, nestabur -- View this message in context: http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi again, Here the info from my engine execution: KnowledgeBaseConfiguration config = KnowledgeBaseFactory.newKnowledgeBaseConfiguration(); config.setOption( EventProcessingOption.STREAM ); KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(config); kbase.addKnowledgePackages(kbuilder.getKnowledgePackages()); SessionConfiguration sessionConf = new SessionConfiguration(); sessionConf.setClockType(ClockType.REALTIME_CLOCK); ksession = kbase.newStatefulKnowledgeSession( sessionConf, env); An here the inserting method: ksession.getWorkingMemoryEntryPoint(Correlator).insert(fact); ksession.fireAllRules(); So I dont understand why my CEP rules never fires ... Thanks again, nestabur 2009/7/22 Nestor Tarin Burriel nesta...@gmail.com Hi Edson, Thanks for the fix, but the problem still happens :( Here my complete .drl file: package Correlator global com.s2grupo.triton.global.Context Context declare Snort @role( event ) icmp_code: String tcp_sport: String data: String sig_rev: String tcp_dport: String udp_sport: String hostname: String interface: String sig_priority: String icmp_type: String id: java.lang.Long sig_class_name: String ip_dst: String sig_name: String udp_dport: String ip_src: String event_date: java.util.Date end rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end rule SnortRuleRetract salience 1 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator then retract($s2); System.out.println( * Deleting Fact From WM); end rule SnortRule0 salience 0 dialect mvel when $s1 : Snort( this.sig_name != (portscan) Open Port) from entry-point Correlator then System.out.println(* Snort Alert 0!! + $s1.getData()); end As you can see, I'm trying to correlate snort events with drools. With this scenario, the only rule that is firing is SnortRule0 2009/7/21 Edson Tirelli tire...@post.com Your rule is wrong, as you are defining 3 patterns and the second pattern is looking for a fact in the main entry point, not your defined MyEntryPoint. Fix it doing: $s2 : MyModel ( name != aaa , id != $s1.id, ip == $s1, this after [0m,5m] $s1) from entry-point MyEntryPoint []s Edson 2009/7/21 nestabur nesta...@gmail.com Hi all, I'm getting crazy trying to create a CEP rule in droos 5.0.1 :( The rule is: === rule RetractOlderFacts dialect mvel when $s1 : MyModel( name != aaa) from entry-point MyEntryPoint $s2 : MyModel ( name != aaa , id != $s1.id, ip == $s1) and MyModel ( this after [0m,5m] $s1) from entry-point MyEntryPoint then retract($s2); System.out.println( * Retracting from WM); end === The scenario is: After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one) After receiving hundred and hundred of facts via JMS that may match with the rule condition, the rule never throws! is the rule correct? could the problem be at the rule engine implementation? Could anyone hel me please? Thanks in advance, nestabur -- View this message in context: http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Yes, :( Did you see some errors at the rule? 2009/7/22 Greg Barton greg_bar...@yahoo.com --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: So I dont understand why my CEP rules never fires ... Ah, the eternal lament of the rules developer. :) Have you tried removing conditions until it does fire? ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator SnortRuleRetract $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id, this after [0m,5m] $s1) from entry-point Correlator and any of them are thrown ... 2009/7/22 Greg Barton greg_bar...@yahoo.com Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)' Which I would interpret as Event 1 comes in, then event 2 comes in between 0 and 5 minutes later. Does that sound right? And here's the rule that you think fits the requirements: rule SnortRule salience 2 dialect mvel when $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point Correlator then System.out.println(** Snort Alert + $s1.getData()); retract($s1); end Check out the docs, though: https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 The after operator in this case would check that (5m = $s2.startTimestamp - $s1.endTimeStamp = +infinity). So the rule actually implements Event 1 comes in, then event 2 happens at leat 5 minutes later. If you use the second argument of after I think it would work: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [0m,5m] $s1) from entry-point Correlator According to the docs this should check that (0m = $s2.startTimestamp - $s1.endTimeStamp = 5m). You could alternately use overlaps. Place an @duration(5m) annotation on the Snort declaration and try this condition: $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this overlaps $s1) from entry-point Correlator ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] Creating fact instance programatically
Yes, If I put a non existent package and type, the method getFactType returns me null value, but if I put the correct package and type it throws that error. Thanks, NEStor 2009/3/8 Michal Bali michalb...@gmail.com your factTypeName should consist of package name + type name, for example: com.mycompany.Account On Sun, Mar 8, 2009 at 7:02 PM, nestabur nesta...@gmail.com wrote: Hi all, I'm trying to create a fact programatically like this: FactType myfact =package.getFactType(factTypeName); Object myPojo = myfact.newInstance(); An error occurs when calling the method getFactType, here my stackTrace: 36267-1236185246849-0:0:1:1 Exception while processing message: java.lang.StringIndexOutOfBoundsException: String index out of range: -1 java.lang.StringIndexOutOfBoundsException: String index out of range: -1 at java.lang.String.substring(String.java:1938) at java.lang.String.substring(String.java:1905) at org.drools.rule.Package.getFactType(Package.java:552) My drools version is 5.0.0.M5 Any suggestion? -- View this message in context: http://www.nabble.com/Creating-fact-instance-programatically-tp22334399p22334399.html Sent from the drools - user mailing list archive at Nabble.com. ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users