Re: [rules-users] CEP Rule Help Needed
Hi all again,
At the end I have my rules firing as expected :)
I had to add the expires() attribute at the model, otherwise my facts were
immediatly retracted by the engine.
Thanks to all ;)
NEStor
2009/7/23 Nestor Tarin Burriel
> In my case yes...
>
> 2009/7/23 Greg Barton
>
>
>> So do you mean this didn't work:
>>
>> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
>>
>> for (Fact a : Facts)
>> ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a);
>>
>> ...but this did?
>>
>> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
>>
>> for (Fact a : Facts)
>> myWorkingMemoryEP.insert(a);
>>
>>
>> --- On Thu, 7/23/09, Nestor Tarin Burriel wrote:
>>
>> > From: Nestor Tarin Burriel
>> > Subject: Re: [rules-users] CEP Rule Help Needed
>> > To: "Rules Users List"
>> > Date: Thursday, July 23, 2009, 9:47 AM
>> > Finally I've solved my problem. It
>> > was in the engine:
>> >
>> > Looking the doc, for inserting a new fact into a stream of
>> > the working memory says:
>> >
>> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();
>> >
>> >
>> > Which is perfect but not for my enviroment ;), I was
>> > inserting the events in differents WM cause in each one I
>> > did
>> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact);
>> > so I solved it doing:
>> >
>> >
>> > myWorkingMemoryEP =
>> > ksession.getWorkingMemoryEntryPoint(correlatorName);
>> >
>> > for (Fact a : Facts)
>> > myWorkingMemoryEP.insert(a);
>> >
>> > I dont know if this is the correct use of EntryPoints bu it
>> > works!
>> >
>> >
>> > Thanks to everybody especially Greg and Priya :)
>> >
>> > 2009/7/23 PriyaKathan
>> >
>> > Hi
>> >
>> > Find attached working example for CEP rule with the
>> > scenario you stated.Here I used Psuedo
>> > clock.Hope this would help you to understand
>> > better.
>> > Regards,
>> >
>> > Priya
>> >
>> > 2009/7/23 Nestor Tarin Burriel
>> >
>> >
>> >
>> > Hi again Greg,
>> >
>> > I've tried your suggestion and it seems like the facts
>> > that is the rule checking are the same.
>> >
>> > This is my last try:
>> >
>> > rule "SnortRuleRetract"
>> > dialect "mvel"
>> >
>> >
>> >
>> > when
>> > $s1 : Snort( sig_name != "(portscan)
>> > Open Port")
>> > $s2 : Snort ( sig_name !=
>> > "(portscan) Open Port" , id != $s1.id)
>> > then
>> >
>> >
>> > retract($s2);
>> >
>> > System.out.println(" * Deleting
>> > from WM");
>> > end
>> >
>> > And is never fired ...
>> >
>> > There are no more rules in the package, this is the only
>> > one ... so I don't understand anything ... could be the
>> > error in the engine? I dont retract any fact ... as you can
>> > see in my code ...
>> >
>> >
>> >
>> >
>> > NEStor
>> >
>> > 2009/7/23 Nestor Tarin Burriel
>> >
>> >
>> >
>> >
>> > Yes, that is the purpose ;)
>> >
>> > I will try ;)
>> >
>> > Thanks 4 your help
>> >
>> > 2009/7/22 Greg Barton
>> >
>> >
>> >
>> >
>> >
>> >
>> > Ah, overlooked that second rule. Have you tried the
>> > overlap operator?
>> >
>> >
>> >
>> > So, just to clarify, the purpose of the two rules should
>> > be:
>> >
>> >
>> >
>> > SnortRule: If two Snort events that are not port scans of
>> > an open port on the same destination arrive more than 5
>> > minutes apart, delete the earlier one.
>> >
>> >
>> >
>> > SnortRuleRetract: If two Snort events that are not port
>> > scans of an open port on any two destinations arrive within
>> > 5 minutes of each other, delete the earlier one.
>> >
>> >
>> >
>> > Have you tried removing the temporal operators completely,
>> >
Re: [rules-users] CEP Rule Help Needed
In my case yes...
2009/7/23 Greg Barton
>
> So do you mean this didn't work:
>
> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
>
> for (Fact a : Facts)
> ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a);
>
> ...but this did?
>
> myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
>
> for (Fact a : Facts)
> myWorkingMemoryEP.insert(a);
>
>
> --- On Thu, 7/23/09, Nestor Tarin Burriel wrote:
>
> > From: Nestor Tarin Burriel
> > Subject: Re: [rules-users] CEP Rule Help Needed
> > To: "Rules Users List"
> > Date: Thursday, July 23, 2009, 9:47 AM
> > Finally I've solved my problem. It
> > was in the engine:
> >
> > Looking the doc, for inserting a new fact into a stream of
> > the working memory says:
> >
> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();
> >
> >
> > Which is perfect but not for my enviroment ;), I was
> > inserting the events in differents WM cause in each one I
> > did
> > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact);
> > so I solved it doing:
> >
> >
> > myWorkingMemoryEP =
> > ksession.getWorkingMemoryEntryPoint(correlatorName);
> >
> > for (Fact a : Facts)
> > myWorkingMemoryEP.insert(a);
> >
> > I dont know if this is the correct use of EntryPoints bu it
> > works!
> >
> >
> > Thanks to everybody especially Greg and Priya :)
> >
> > 2009/7/23 PriyaKathan
> >
> > Hi
> >
> > Find attached working example for CEP rule with the
> > scenario you stated.Here I used Psuedo
> > clock.Hope this would help you to understand
> > better.
> > Regards,
> >
> > Priya
> >
> > 2009/7/23 Nestor Tarin Burriel
> >
> >
> >
> > Hi again Greg,
> >
> > I've tried your suggestion and it seems like the facts
> > that is the rule checking are the same.
> >
> > This is my last try:
> >
> > rule "SnortRuleRetract"
> > dialect "mvel"
> >
> >
> >
> > when
> > $s1 : Snort( sig_name != "(portscan)
> > Open Port")
> > $s2 : Snort ( sig_name !=
> > "(portscan) Open Port" , id != $s1.id)
> > then
> >
> >
> > retract($s2);
> >
> > System.out.println(" * Deleting
> > from WM");
> > end
> >
> > And is never fired ...
> >
> > There are no more rules in the package, this is the only
> > one ... so I don't understand anything ... could be the
> > error in the engine? I dont retract any fact ... as you can
> > see in my code ...
> >
> >
> >
> >
> > NEStor
> >
> > 2009/7/23 Nestor Tarin Burriel
> >
> >
> >
> >
> > Yes, that is the purpose ;)
> >
> > I will try ;)
> >
> > Thanks 4 your help
> >
> > 2009/7/22 Greg Barton
> >
> >
> >
> >
> >
> >
> > Ah, overlooked that second rule. Have you tried the
> > overlap operator?
> >
> >
> >
> > So, just to clarify, the purpose of the two rules should
> > be:
> >
> >
> >
> > SnortRule: If two Snort events that are not port scans of
> > an open port on the same destination arrive more than 5
> > minutes apart, delete the earlier one.
> >
> >
> >
> > SnortRuleRetract: If two Snort events that are not port
> > scans of an open port on any two destinations arrive within
> > 5 minutes of each other, delete the earlier one.
> >
> >
> >
> > Have you tried removing the temporal operators completely,
> > just for testing purposes? What happens? i.e.
> >
> >
> >
> > "TimelessSnortRule"
> >
> > $s1 : Snort( sig_name != "(portscan)
> > Open Port") from entry-point "Correlator"
> >
> > $s2 : Snort( sig_name != "(portscan)
> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from
> > entry-point "Correlator"
> >
> >
> >
> > "TimelessSnortRuleRetract"
> >
> > $s1 : Snort( sig_name != "(portscan)
> > Open Port") from entry-point "Correlator"
> >
> > $s2 : Snort ( sig_name !=
> > "(portscan) Open Port" , id != $s1.id) from
> > entry-po
Re: [rules-users] CEP Rule Help Needed
So do you mean this didn't work:
myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
for (Fact a : Facts)
ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a);
...but this did?
myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
for (Fact a : Facts)
myWorkingMemoryEP.insert(a);
--- On Thu, 7/23/09, Nestor Tarin Burriel wrote:
> From: Nestor Tarin Burriel
> Subject: Re: [rules-users] CEP Rule Help Needed
> To: "Rules Users List"
> Date: Thursday, July 23, 2009, 9:47 AM
> Finally I've solved my problem. It
> was in the engine:
>
> Looking the doc, for inserting a new fact into a stream of
> the working memory says:
>
> ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();
>
>
> Which is perfect but not for my enviroment ;), I was
> inserting the events in differents WM cause in each one I
> did
> ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact);
> so I solved it doing:
>
>
> myWorkingMemoryEP =
> ksession.getWorkingMemoryEntryPoint(correlatorName);
>
> for (Fact a : Facts)
> myWorkingMemoryEP.insert(a);
>
> I dont know if this is the correct use of EntryPoints bu it
> works!
>
>
> Thanks to everybody especially Greg and Priya :)
>
> 2009/7/23 PriyaKathan
>
> Hi
>
> Find attached working example for CEP rule with the
> scenario you stated.Here I used Psuedo
> clock.Hope this would help you to understand
> better.
> Regards,
>
> Priya
>
> 2009/7/23 Nestor Tarin Burriel
>
>
>
> Hi again Greg,
>
> I've tried your suggestion and it seems like the facts
> that is the rule checking are the same.
>
> This is my last try:
>
> rule "SnortRuleRetract"
> dialect "mvel"
>
>
>
> when
> $s1 : Snort( sig_name != "(portscan)
> Open Port")
> $s2 : Snort ( sig_name !=
> "(portscan) Open Port" , id != $s1.id)
> then
>
>
> retract($s2);
>
> System.out.println(" * Deleting
> from WM");
> end
>
> And is never fired ...
>
> There are no more rules in the package, this is the only
> one ... so I don't understand anything ... could be the
> error in the engine? I dont retract any fact ... as you can
> see in my code ...
>
>
>
>
> NEStor
>
> 2009/7/23 Nestor Tarin Burriel
>
>
>
>
> Yes, that is the purpose ;)
>
> I will try ;)
>
> Thanks 4 your help
>
> 2009/7/22 Greg Barton
>
>
>
>
>
>
> Ah, overlooked that second rule. Have you tried the
> overlap operator?
>
>
>
> So, just to clarify, the purpose of the two rules should
> be:
>
>
>
> SnortRule: If two Snort events that are not port scans of
> an open port on the same destination arrive more than 5
> minutes apart, delete the earlier one.
>
>
>
> SnortRuleRetract: If two Snort events that are not port
> scans of an open port on any two destinations arrive within
> 5 minutes of each other, delete the earlier one.
>
>
>
> Have you tried removing the temporal operators completely,
> just for testing purposes? What happens? i.e.
>
>
>
> "TimelessSnortRule"
>
> $s1 : Snort( sig_name != "(portscan)
> Open Port") from entry-point "Correlator"
>
> $s2 : Snort( sig_name != "(portscan)
> Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from
> entry-point "Correlator"
>
>
>
> "TimelessSnortRuleRetract"
>
> $s1 : Snort( sig_name != "(portscan)
> Open Port") from entry-point "Correlator"
>
> $s2 : Snort ( sig_name !=
> "(portscan) Open Port" , id != $s1.id) from
> entry-point "Correlator"
>
>
>
>
>
> --- On Wed, 7/22/09, Nestor Tarin Burriel
> wrote:
>
>
>
> > From: Nestor Tarin Burriel
>
> > Subject: Re: [rules-users] CEP Rule Help Needed
>
> > To: "Rules Users List"
>
> > Date: Wednesday, July 22, 2009, 1:47 PM
>
> > Thanks Greg,
>
> >
>
> > As you can see in the code I sent, I have the 2
>
> > implementations:
>
> >
>
> > "SnortRule"
>
> >
>
> > $s1 : Snort( sig_name !=
>
> > "(portscan) Open Port") from entry-point
>
> > "Correlator"
>
> >
>
> > $s2 : Snort( sig_name !=
> "(portscan)
>
> > Open Port" , id != $s1.id, ip_dst
Re: [rules-users] CEP Rule Help Needed
Finally I've solved my problem. It was in the engine:
Looking the doc, for inserting a new fact into a stream of the working
memory says:
ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert();
Which is perfect but not for my enviroment ;), I was inserting the events in
differents WM cause in each one I did
ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact); so I
solved it doing:
myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName);
for (Fact a : Facts)
myWorkingMemoryEP.insert(a);
I dont know if this is the correct use of EntryPoints bu it works!
Thanks to everybody especially Greg and Priya :)
2009/7/23 PriyaKathan
> Hi
>
> Find attached working example for CEP rule with the scenario you stated.
> Here I used Psuedo clock.
> Hope this would help you to understand better.
>
> Regards,
> Priya
>
>
> 2009/7/23 Nestor Tarin Burriel
>
>> Hi again Greg,
>>
>> I've tried your suggestion and it seems like the facts that is the rule
>> checking are the same.
>>
>> This is my last try:
>>
>> rule "SnortRuleRetract"
>> dialect "mvel"
>> when
>> $s1 : Snort( sig_name != "(portscan) Open Port")
>> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
>> then
>> retract($s2);
>> System.out.println(" * Deleting from WM");
>> end
>>
>> And is never fired ...
>>
>> There are no more rules in the package, this is the only one ... so I
>> don't understand anything ... could be the error in the engine? I dont
>> retract any fact ... as you can see in my code ...
>>
>> NEStor
>>
>> 2009/7/23 Nestor Tarin Burriel
>>
>> Yes, that is the purpose ;)
>>>
>>> I will try ;)
>>>
>>> Thanks 4 your help
>>>
>>>
>>> 2009/7/22 Greg Barton
>>>
>>>>
>>>> Ah, overlooked that second rule. Have you tried the overlap operator?
>>>>
>>>> So, just to clarify, the purpose of the two rules should be:
>>>>
>>>> SnortRule: If two Snort events that are not port scans of an open port
>>>> on the same destination arrive more than 5 minutes apart, delete the
>>>> earlier
>>>> one.
>>>>
>>>> SnortRuleRetract: If two Snort events that are not port scans of an open
>>>> port on any two destinations arrive within 5 minutes of each other, delete
>>>> the earlier one.
>>>>
>>>> Have you tried removing the temporal operators completely, just for
>>>> testing purposes? What happens? i.e.
>>>>
>>>> "TimelessSnortRule"
>>>> $s1 : Snort( sig_name != "(portscan) Open Port") from
>>>> entry-point "Correlator"
>>>> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
>>>> ip_dst == $s1.ip_dst) from entry-point "Correlator"
>>>>
>>>> "TimelessSnortRuleRetract"
>>>> $s1 : Snort( sig_name != "(portscan) Open Port") from
>>>> entry-point "Correlator"
>>>> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
>>>> from entry-point "Correlator"
>>>>
>>>>
>>>> --- On Wed, 7/22/09, Nestor Tarin Burriel wrote:
>>>>
>>>> > From: Nestor Tarin Burriel
>>>> > Subject: Re: [rules-users] CEP Rule Help Needed
>>>> > To: "Rules Users List"
>>>> > Date: Wednesday, July 22, 2009, 1:47 PM
>>>> > Thanks Greg,
>>>> >
>>>> > As you can see in the code I sent, I have the 2
>>>> > implementations:
>>>> >
>>>> > "SnortRule"
>>>> >
>>>> > $s1 : Snort( sig_name !=
>>>> > "(portscan) Open Port") from entry-point
>>>> > "Correlator"
>>>> >
>>>> > $s2 : Snort( sig_name != "(portscan)
>>>> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
>>>> > after [5m] $s1) from entry-point "Correlator"
>>>> >
>>>> >
>>>> > "SnortRuleRetract"
>>>> > $s1 : Snort( sig_name !=
>>>> > "(portscan) Open Port") from entry-point
>>>> > "
Re: [rules-users] CEP Rule Help Needed
Hi
Find attached working example for CEP rule with the scenario you stated.
Here I used Psuedo clock.
Hope this would help you to understand better.
Regards,
Priya
2009/7/23 Nestor Tarin Burriel
> Hi again Greg,
>
> I've tried your suggestion and it seems like the facts that is the rule
> checking are the same.
>
> This is my last try:
>
> rule "SnortRuleRetract"
> dialect "mvel"
> when
> $s1 : Snort( sig_name != "(portscan) Open Port")
> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
> then
> retract($s2);
> System.out.println(" * Deleting from WM");
> end
>
> And is never fired ...
>
> There are no more rules in the package, this is the only one ... so I don't
> understand anything ... could be the error in the engine? I dont retract any
> fact ... as you can see in my code ...
>
> NEStor
>
> 2009/7/23 Nestor Tarin Burriel
>
> Yes, that is the purpose ;)
>>
>> I will try ;)
>>
>> Thanks 4 your help
>>
>>
>> 2009/7/22 Greg Barton
>>
>>>
>>> Ah, overlooked that second rule. Have you tried the overlap operator?
>>>
>>> So, just to clarify, the purpose of the two rules should be:
>>>
>>> SnortRule: If two Snort events that are not port scans of an open port on
>>> the same destination arrive more than 5 minutes apart, delete the earlier
>>> one.
>>>
>>> SnortRuleRetract: If two Snort events that are not port scans of an open
>>> port on any two destinations arrive within 5 minutes of each other, delete
>>> the earlier one.
>>>
>>> Have you tried removing the temporal operators completely, just for
>>> testing purposes? What happens? i.e.
>>>
>>> "TimelessSnortRule"
>>> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
>>> "Correlator"
>>> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
>>> ip_dst == $s1.ip_dst) from entry-point "Correlator"
>>>
>>> "TimelessSnortRuleRetract"
>>> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
>>> "Correlator"
>>> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
>>> from entry-point "Correlator"
>>>
>>>
>>> --- On Wed, 7/22/09, Nestor Tarin Burriel wrote:
>>>
>>> > From: Nestor Tarin Burriel
>>> > Subject: Re: [rules-users] CEP Rule Help Needed
>>> > To: "Rules Users List"
>>> > Date: Wednesday, July 22, 2009, 1:47 PM
>>> > Thanks Greg,
>>> >
>>> > As you can see in the code I sent, I have the 2
>>> > implementations:
>>> >
>>> > "SnortRule"
>>> >
>>> > $s1 : Snort( sig_name !=
>>> > "(portscan) Open Port") from entry-point
>>> > "Correlator"
>>> >
>>> > $s2 : Snort( sig_name != "(portscan)
>>> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
>>> > after [5m] $s1) from entry-point "Correlator"
>>> >
>>> >
>>> > "SnortRuleRetract"
>>> > $s1 : Snort( sig_name !=
>>> > "(portscan) Open Port") from entry-point
>>> > "Correlator"
>>> > $s2 : Snort ( sig_name != "(portscan)
>>> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from
>>> > entry-point "Correlator"
>>> >
>>> >
>>> > and any of them are thrown
>>> >
>>> > ...
>>> >
>>> > 2009/7/22 Greg Barton
>>> >
>>> >
>>> >
>>> > Maybe this is a problem of language. Here's what you
>>> > say the rule should do:
>>> >
>>> >
>>> >
>>> > 'After receiving a fact "MyModel" wich name
>>> > != "aaa", if arrives another
>>> >
>>> > with same ip and different id after a
>>> > period between 0 and 5 minutes the
>>> >
>>> > rule have to retract the last one and keep the first
>>> > fact (the older one)'
>>> >
>>> >
>>> >
>>> > Which I would interpret as "Event 1 comes in,
Re: [rules-users] CEP Rule Help Needed
Hi again Greg,
I've tried your suggestion and it seems like the facts that is the rule
checking are the same.
This is my last try:
rule "SnortRuleRetract"
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port")
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
then
retract($s2);
System.out.println(" * Deleting from WM");
end
And is never fired ...
There are no more rules in the package, this is the only one ... so I don't
understand anything ... could be the error in the engine? I dont retract any
fact ... as you can see in my code ...
NEStor
2009/7/23 Nestor Tarin Burriel
> Yes, that is the purpose ;)
>
> I will try ;)
>
> Thanks 4 your help
>
>
> 2009/7/22 Greg Barton
>
>>
>> Ah, overlooked that second rule. Have you tried the overlap operator?
>>
>> So, just to clarify, the purpose of the two rules should be:
>>
>> SnortRule: If two Snort events that are not port scans of an open port on
>> the same destination arrive more than 5 minutes apart, delete the earlier
>> one.
>>
>> SnortRuleRetract: If two Snort events that are not port scans of an open
>> port on any two destinations arrive within 5 minutes of each other, delete
>> the earlier one.
>>
>> Have you tried removing the temporal operators completely, just for
>> testing purposes? What happens? i.e.
>>
>> "TimelessSnortRule"
>> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
>> "Correlator"
>> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
>> ip_dst == $s1.ip_dst) from entry-point "Correlator"
>>
>> "TimelessSnortRuleRetract"
>> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
>> "Correlator"
>> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
>> from entry-point "Correlator"
>>
>>
>> --- On Wed, 7/22/09, Nestor Tarin Burriel wrote:
>>
>> > From: Nestor Tarin Burriel
>> > Subject: Re: [rules-users] CEP Rule Help Needed
>> > To: "Rules Users List"
>> > Date: Wednesday, July 22, 2009, 1:47 PM
>> > Thanks Greg,
>> >
>> > As you can see in the code I sent, I have the 2
>> > implementations:
>> >
>> > "SnortRule"
>> >
>> > $s1 : Snort( sig_name !=
>> > "(portscan) Open Port") from entry-point
>> > "Correlator"
>> >
>> > $s2 : Snort( sig_name != "(portscan)
>> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
>> > after [5m] $s1) from entry-point "Correlator"
>> >
>> >
>> > "SnortRuleRetract"
>> > $s1 : Snort( sig_name !=
>> > "(portscan) Open Port") from entry-point
>> > "Correlator"
>> > $s2 : Snort ( sig_name != "(portscan)
>> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from
>> > entry-point "Correlator"
>> >
>> >
>> > and any of them are thrown
>> >
>> > ...
>> >
>> > 2009/7/22 Greg Barton
>> >
>> >
>> >
>> > Maybe this is a problem of language. Here's what you
>> > say the rule should do:
>> >
>> >
>> >
>> > 'After receiving a fact "MyModel" wich name
>> > != "aaa", if arrives another
>> >
>> > with same ip and different id after a
>> > period between 0 and 5 minutes the
>> >
>> > rule have to retract the last one and keep the first
>> > fact (the older one)'
>> >
>> >
>> >
>> > Which I would interpret as "Event 1 comes in, then
>> > event 2 comes in between 0 and 5 minutes later." Does
>> > that sound right?
>> >
>> >
>> >
>> > And here's the rule that you think fits the
>> > requirements:
>> >
>> >
>> >
>> > rule "SnortRule"
>> >
>> > salience 2
>> >
>> > dialect "mvel"
>> >
>> > when
>> >
>> > $s1 : Snort( sig_name != "(portscan) Open
>> > Port") from entry-point "Correlator"
>> >
>> > $s2 : Snort( sig_name != "(portscan) Open
>
Re: [rules-users] CEP Rule Help Needed
Yes, that is the purpose ;)
I will try ;)
Thanks 4 your help
2009/7/22 Greg Barton
>
> Ah, overlooked that second rule. Have you tried the overlap operator?
>
> So, just to clarify, the purpose of the two rules should be:
>
> SnortRule: If two Snort events that are not port scans of an open port on
> the same destination arrive more than 5 minutes apart, delete the earlier
> one.
>
> SnortRuleRetract: If two Snort events that are not port scans of an open
> port on any two destinations arrive within 5 minutes of each other, delete
> the earlier one.
>
> Have you tried removing the temporal operators completely, just for testing
> purposes? What happens? i.e.
>
> "TimelessSnortRule"
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst) from entry-point "Correlator"
>
> "TimelessSnortRuleRetract"
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
> from entry-point "Correlator"
>
>
> --- On Wed, 7/22/09, Nestor Tarin Burriel wrote:
>
> > From: Nestor Tarin Burriel
> > Subject: Re: [rules-users] CEP Rule Help Needed
> > To: "Rules Users List"
> > Date: Wednesday, July 22, 2009, 1:47 PM
> > Thanks Greg,
> >
> > As you can see in the code I sent, I have the 2
> > implementations:
> >
> > "SnortRule"
> >
> > $s1 : Snort( sig_name !=
> > "(portscan) Open Port") from entry-point
> > "Correlator"
> >
> > $s2 : Snort( sig_name != "(portscan)
> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [5m] $s1) from entry-point "Correlator"
> >
> >
> > "SnortRuleRetract"
> > $s1 : Snort( sig_name !=
> > "(portscan) Open Port") from entry-point
> > "Correlator"
> > $s2 : Snort ( sig_name != "(portscan)
> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from
> > entry-point "Correlator"
> >
> >
> > and any of them are thrown
> >
> > ...
> >
> > 2009/7/22 Greg Barton
> >
> >
> >
> > Maybe this is a problem of language. Here's what you
> > say the rule should do:
> >
> >
> >
> > 'After receiving a fact "MyModel" wich name
> > != "aaa", if arrives another
> >
> > with same ip and different id after a
> > period between 0 and 5 minutes the
> >
> > rule have to retract the last one and keep the first
> > fact (the older one)'
> >
> >
> >
> > Which I would interpret as "Event 1 comes in, then
> > event 2 comes in between 0 and 5 minutes later." Does
> > that sound right?
> >
> >
> >
> > And here's the rule that you think fits the
> > requirements:
> >
> >
> >
> > rule "SnortRule"
> >
> > salience 2
> >
> > dialect "mvel"
> >
> > when
> >
> > $s1 : Snort( sig_name != "(portscan) Open
> > Port") from entry-point "Correlator"
> >
> > $s2 : Snort( sig_name != "(portscan) Open
> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [5m] $s1) from entry-point "Correlator"
> >
> > then
> >
> > System.out.println("**
> > Snort Alert" + $s1.getData());
> >
> > retract($s1);
> >
> > end
> >
> >
> >
> > Check out the docs, though:
> >
> >
> >
> >
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
> >
> >
> >
> >
> > The after operator in this case would check that (5m <=
> > $s2.startTimestamp - $s1.endTimeStamp <= +infinity).
> >
> >
> >
> > So the rule actually implements "Event 1 comes in,
> > then event 2 happens at leat 5 minutes later."
> >
> >
> >
> > If you use the second argument of after I think it would
> > work:
> >
> >
> >
> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
> > id !=
Re: [rules-users] CEP Rule Help Needed
Without @timestamp the event time is the insertion time. --- On Thu, 7/23/09, PriyaKathan wrote: > From: PriyaKathan > Subject: Re: [rules-users] CEP Rule Help Needed > To: "Rules Users List" > Date: Thursday, July 23, 2009, 12:37 AM > Hi, > I found one thing missing here...It > i...@timestamp in event declaration... ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi,
I found one thing missing here...
It is @timestamp in event declaration...
On Thu, Jul 23, 2009 at 1:06 AM, Greg Barton wrote:
>
> Ah, overlooked that second rule. Have you tried the overlap operator?
>
> So, just to clarify, the purpose of the two rules should be:
>
> SnortRule: If two Snort events that are not port scans of an open port on
> the same destination arrive more than 5 minutes apart, delete the earlier
> one.
>
> SnortRuleRetract: If two Snort events that are not port scans of an open
> port on any two destinations arrive within 5 minutes of each other, delete
> the earlier one.
>
> Have you tried removing the temporal operators completely, just for testing
> purposes? What happens? i.e.
>
> "TimelessSnortRule"
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst) from entry-point "Correlator"
>
> "TimelessSnortRuleRetract"
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id)
> from entry-point "Correlator"
>
>
> --- On Wed, 7/22/09, Nestor Tarin Burriel wrote:
>
> > From: Nestor Tarin Burriel
> > Subject: Re: [rules-users] CEP Rule Help Needed
> > To: "Rules Users List"
> > Date: Wednesday, July 22, 2009, 1:47 PM
> > Thanks Greg,
> >
> > As you can see in the code I sent, I have the 2
> > implementations:
> >
> > "SnortRule"
> >
> > $s1 : Snort( sig_name !=
> > "(portscan) Open Port") from entry-point
> > "Correlator"
> >
> > $s2 : Snort( sig_name != "(portscan)
> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [5m] $s1) from entry-point "Correlator"
> >
> >
> > "SnortRuleRetract"
> > $s1 : Snort( sig_name !=
> > "(portscan) Open Port") from entry-point
> > "Correlator"
> > $s2 : Snort ( sig_name != "(portscan)
> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from
> > entry-point "Correlator"
> >
> >
> > and any of them are thrown
> >
> > ...
> >
> > 2009/7/22 Greg Barton
> >
> >
> >
> > Maybe this is a problem of language. Here's what you
> > say the rule should do:
> >
> >
> >
> > 'After receiving a fact "MyModel" wich name
> > != "aaa", if arrives another
> >
> > with same ip and different id after a
> > period between 0 and 5 minutes the
> >
> > rule have to retract the last one and keep the first
> > fact (the older one)'
> >
> >
> >
> > Which I would interpret as "Event 1 comes in, then
> > event 2 comes in between 0 and 5 minutes later." Does
> > that sound right?
> >
> >
> >
> > And here's the rule that you think fits the
> > requirements:
> >
> >
> >
> > rule "SnortRule"
> >
> > salience 2
> >
> > dialect "mvel"
> >
> > when
> >
> > $s1 : Snort( sig_name != "(portscan) Open
> > Port") from entry-point "Correlator"
> >
> > $s2 : Snort( sig_name != "(portscan) Open
> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> > after [5m] $s1) from entry-point "Correlator"
> >
> > then
> >
> > System.out.println("**
> > Snort Alert" + $s1.getData());
> >
> > retract($s1);
> >
> > end
> >
> >
> >
> > Check out the docs, though:
> >
> >
> >
> >
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
> >
> >
> >
> >
> > The after operator in this case would check that (5m <=
> > $s2.startTimestamp - $s1.endTimeStamp <= +infinity).
> >
> >
> >
> > So the rule actually implements "Event 1 comes in,
> > then event 2 happens at leat 5 minutes later."
> >
> >
> >
> > If you use the second argument of after I think it would
> > work:
> >
> >
> >
> > $s2 : Snort( sig_name != "(portscan) Open Port" ,
> > id !=
Re: [rules-users] CEP Rule Help Needed
Ah, overlooked that second rule. Have you tried the overlap operator?
So, just to clarify, the purpose of the two rules should be:
SnortRule: If two Snort events that are not port scans of an open port on the
same destination arrive more than 5 minutes apart, delete the earlier one.
SnortRuleRetract: If two Snort events that are not port scans of an open port
on any two destinations arrive within 5 minutes of each other, delete the
earlier one.
Have you tried removing the temporal operators completely, just for testing
purposes? What happens? i.e.
"TimelessSnortRule"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst
== $s1.ip_dst) from entry-point "Correlator"
"TimelessSnortRuleRetract"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) from
entry-point "Correlator"
--- On Wed, 7/22/09, Nestor Tarin Burriel wrote:
> From: Nestor Tarin Burriel
> Subject: Re: [rules-users] CEP Rule Help Needed
> To: "Rules Users List"
> Date: Wednesday, July 22, 2009, 1:47 PM
> Thanks Greg,
>
> As you can see in the code I sent, I have the 2
> implementations:
>
> "SnortRule"
>
> $s1 : Snort( sig_name !=
> "(portscan) Open Port") from entry-point
> "Correlator"
>
> $s2 : Snort( sig_name != "(portscan)
> Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> after [5m] $s1) from entry-point "Correlator"
>
>
> "SnortRuleRetract"
> $s1 : Snort( sig_name !=
> "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort ( sig_name != "(portscan)
> Open Port" , id != $s1.id, this after [0m,5m] $s1) from
> entry-point "Correlator"
>
>
> and any of them are thrown
>
> ...
>
> 2009/7/22 Greg Barton
>
>
>
> Maybe this is a problem of language. Here's what you
> say the rule should do:
>
>
>
> 'After receiving a fact "MyModel" wich name
> != "aaa", if arrives another
>
> with same ip and different id after a
> period between 0 and 5 minutes the
>
> rule have to retract the last one and keep the first
> fact (the older one)'
>
>
>
> Which I would interpret as "Event 1 comes in, then
> event 2 comes in between 0 and 5 minutes later." Does
> that sound right?
>
>
>
> And here's the rule that you think fits the
> requirements:
>
>
>
> rule "SnortRule"
>
> salience 2
>
> dialect "mvel"
>
> when
>
> $s1 : Snort( sig_name != "(portscan) Open
> Port") from entry-point "Correlator"
>
> $s2 : Snort( sig_name != "(portscan) Open
> Port" , id != $s1.id, ip_dst == $s1.ip_dst, this
> after [5m] $s1) from entry-point "Correlator"
>
> then
>
> System.out.println("**
> Snort Alert" + $s1.getData());
>
> retract($s1);
>
> end
>
>
>
> Check out the docs, though:
>
>
>
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
>
>
>
>
> The after operator in this case would check that (5m <=
> $s2.startTimestamp - $s1.endTimeStamp <= +infinity).
>
>
>
> So the rule actually implements "Event 1 comes in,
> then event 2 happens at leat 5 minutes later."
>
>
>
> If you use the second argument of after I think it would
> work:
>
>
>
> $s2 : Snort( sig_name != "(portscan) Open Port" ,
> id != $s1.id, ip_dst == $s1.ip_dst, this
> after [0m,5m] $s1) from entry-point "Correlator"
>
>
>
> According to the docs this should check that (0m <=
> $s2.startTimestamp - $s1.endTimeStamp <= 5m).
>
>
>
> You could alternately use "overlaps". Place an
> @duration(5m) annotation on the Snort declaration and try
> this condition:
>
>
>
> $s2 : Snort( sig_name != "(portscan) Open Port" ,
> id != $s1.id, ip_dst == $s1.ip_dst, this
> overlaps $s1) from entry-point "Correlator"
>
>
>
>
>
>
>
>
>
>
>
>
>
> ___
>
> rules-users mailing list
>
> rules-users@lists.jboss.org
>
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
>
>
> -Inline Attachment Follows-
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Thanks Greg,
As you can see in the code I sent, I have the 2 implementations:
"SnortRule"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
"SnortRuleRetract"
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "Correlator"
and any of them are thrown
...
2009/7/22 Greg Barton
>
> Maybe this is a problem of language. Here's what you say the rule should
> do:
>
> 'After receiving a fact "MyModel" wich name != "aaa", if arrives another
> with same ip and different id after a period between 0 and 5 minutes the
> rule have to retract the last one and keep the first fact (the older one)'
>
> Which I would interpret as "Event 1 comes in, then event 2 comes in between
> 0 and 5 minutes later." Does that sound right?
>
> And here's the rule that you think fits the requirements:
>
> rule "SnortRule"
>salience 2
>dialect "mvel"
>when
>$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
>$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
>then
>System.out.println("** Snort Alert" +
> $s1.getData());
>retract($s1);
> end
>
> Check out the docs, though:
>
>
> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
>
> The after operator in this case would check that (5m <= $s2.startTimestamp
> - $s1.endTimeStamp <= +infinity).
>
> So the rule actually implements "Event 1 comes in, then event 2 happens at
> leat 5 minutes later."
>
> If you use the second argument of after I think it would work:
>
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst ==
> $s1.ip_dst, this after [0m,5m] $s1) from entry-point "Correlator"
>
> According to the docs this should check that (0m <= $s2.startTimestamp -
> $s1.endTimeStamp <= 5m).
>
> You could alternately use "overlaps". Place an @duration(5m) annotation on
> the Snort declaration and try this condition:
>
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst ==
> $s1.ip_dst, this overlaps $s1) from entry-point "Correlator"
>
>
>
>
>
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Maybe this is a problem of language. Here's what you say the rule should do:
'After receiving a fact "MyModel" wich name != "aaa", if arrives another
with same ip and different id after a period between 0 and 5 minutes the
rule have to retract the last one and keep the first fact (the older one)'
Which I would interpret as "Event 1 comes in, then event 2 comes in between 0
and 5 minutes later." Does that sound right?
And here's the rule that you think fits the requirements:
rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst
== $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
then
System.out.println("** Snort Alert" +
$s1.getData());
retract($s1);
end
Check out the docs, though:
https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622
The after operator in this case would check that (5m <= $s2.startTimestamp -
$s1.endTimeStamp <= +infinity).
So the rule actually implements "Event 1 comes in, then event 2 happens at leat
5 minutes later."
If you use the second argument of after I think it would work:
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst ==
$s1.ip_dst, this after [0m,5m] $s1) from entry-point "Correlator"
According to the docs this should check that (0m <= $s2.startTimestamp -
$s1.endTimeStamp <= 5m).
You could alternately use "overlaps". Place an @duration(5m) annotation on the
Snort declaration and try this condition:
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, ip_dst ==
$s1.ip_dst, this overlaps $s1) from entry-point "Correlator"
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Yes, :( Did you see some errors at the rule? 2009/7/22 Greg Barton > > > --- On Wed, 7/22/09, Nestor Tarin Burriel wrote: > > > So I dont understand why my CEP rules never fires ... > > Ah, the eternal lament of the rules developer. :) > > Have you tried removing conditions until it does fire? > > > > ___ > rules-users mailing list > rules-users@lists.jboss.org > https://lists.jboss.org/mailman/listinfo/rules-users > ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
--- On Wed, 7/22/09, Nestor Tarin Burriel wrote: > So I dont understand why my CEP rules never fires ... Ah, the eternal lament of the rules developer. :) Have you tried removing conditions until it does fire? ___ rules-users mailing list rules-users@lists.jboss.org https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi again,
Here the info from my engine execution:
KnowledgeBaseConfiguration config =
KnowledgeBaseFactory.newKnowledgeBaseConfiguration();
config.setOption( EventProcessingOption.STREAM );
KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(config);
kbase.addKnowledgePackages(kbuilder.getKnowledgePackages());
SessionConfiguration sessionConf = new SessionConfiguration();
sessionConf.setClockType(ClockType.REALTIME_CLOCK);
ksession = kbase.newStatefulKnowledgeSession(
sessionConf, env);
An here the inserting method:
ksession.getWorkingMemoryEntryPoint("Correlator").insert(fact);
ksession.fireAllRules();
So I dont understand why my CEP rules never fires ...
Thanks again,
nestabur
2009/7/22 Nestor Tarin Burriel
> Hi Edson,
>
> Thanks for the fix, but the problem still happens :(
>
> Here my complete .drl file:
>
> package Correlator
> global com.s2grupo.triton.global.Context Context
>
> declare Snort
> @role( event )
> icmp_code: String
> tcp_sport: String
> data: String
> sig_rev: String
> tcp_dport: String
> udp_sport: String
> hostname: String
> interface: String
> sig_priority: String
> icmp_type: String
> id: java.lang.Long
> sig_class_name: String
> ip_dst: String
> sig_name: String
> udp_dport: String
> ip_src: String
> event_date: java.util.Date
> end
>
> rule "SnortRule"
> salience 2
> dialect "mvel"
> when
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
> ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
> then
> System.out.println("** Snort Alert" +
> $s1.getData());
> retract($s1);
> end
>
>
> rule "SnortRuleRetract"
> salience 1
> dialect "mvel"
> when
> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
> "Correlator"
> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
> this after [0m,5m] $s1) from entry-point "Correlator"
> then
> retract($s2);
> System.out.println(" * Deleting Fact From WM");
> end
>
>
> rule "SnortRule0"
> salience 0
> dialect "mvel"
> when
> $s1 : Snort( this.sig_name != "(portscan) Open Port") from
> entry-point "Correlator"
> then
> System.out.println("* Snort Alert 0!!" + $s1.getData());
> end
>
> As you can see, I'm trying to correlate snort events with drools.
>
> With this scenario, the only rule that is firing is "SnortRule0"
>
> 2009/7/21 Edson Tirelli
>
>>
>>Your rule is wrong, as you are defining 3 patterns and the second
>> pattern is looking for a fact in the main entry point, not your defined
>> "MyEntryPoint".
>>Fix it doing:
>>
>> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
>> [0m,5m] $s1) from entry-point "MyEntryPoint"
>>
>>[]s
>>Edson
>>
>> 2009/7/21 nestabur
>>
>>
>>> Hi all,
>>>
>>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>>>
>>> The rule is:
>>> ===
>>> rule "RetractOlderFacts"
>>>dialect "mvel"
>>>when
>>>$s1 : MyModel( name != "aaa") from entry-point
>>> "MyEntryPoint"
>>>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
>>> and MyModel (
>>> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>>>then
>>>retract($s2);
>>>System.out.println(" * Retracting from WM");
>>> end
>>> ===
>>>
>>> The scenario is:
>>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another
>>> with same ip and different id after a period between 0 and 5 minutes the
>>> rule have to retract the last one and keep the first fact (the older
>>> one)"
>>>
>>> After receiving hundred and hundred of facts via JMS that may match with
>>> the
>>> rule condition, the rule never throws!
>>>
>>> is the rule correct?
>>> could the problem be at the rule engine implementation?
>>>
>>> Could anyone hel me please?
>>>
>>> Thanks in advance,
>>>
>>> nestabur
>>> --
>>> View this message in context:
>>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
>>> Sent from the drools - user mailing list archive at Nabble.com.
>>>
>>> ___
>>> rules-users mailing list
>>> rules-users@lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/rules-users
>>>
>>
>>
>> ___
>> rules-users mailing list
>> rules-users@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>>
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi Edson,
Thanks for the fix, but the problem still happens :(
Here my complete .drl file:
package Correlator
global com.s2grupo.triton.global.Context Context
declare Snort
@role( event )
icmp_code: String
tcp_sport: String
data: String
sig_rev: String
tcp_dport: String
udp_sport: String
hostname: String
interface: String
sig_priority: String
icmp_type: String
id: java.lang.Long
sig_class_name: String
ip_dst: String
sig_name: String
udp_dport: String
ip_src: String
event_date: java.util.Date
end
rule "SnortRule"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point "Correlator"
then
System.out.println("** Snort Alert" +
$s1.getData());
retract($s1);
end
rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"Correlator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "Correlator"
then
retract($s2);
System.out.println(" * Deleting Fact From WM");
end
rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from
entry-point "Correlator"
then
System.out.println("* Snort Alert 0!!" + $s1.getData());
end
As you can see, I'm trying to correlate snort events with drools.
With this scenario, the only rule that is firing is "SnortRule0"
2009/7/21 Edson Tirelli
>
>Your rule is wrong, as you are defining 3 patterns and the second
> pattern is looking for a fact in the main entry point, not your defined
> "MyEntryPoint".
>Fix it doing:
>
> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
> [0m,5m] $s1) from entry-point "MyEntryPoint"
>
>[]s
>Edson
>
> 2009/7/21 nestabur
>
>
>> Hi all,
>>
>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>>
>> The rule is:
>> ===
>> rule "RetractOlderFacts"
>>dialect "mvel"
>>when
>>$s1 : MyModel( name != "aaa") from entry-point
>> "MyEntryPoint"
>>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
>> and MyModel (
>> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>>then
>>retract($s2);
>>System.out.println(" * Retracting from WM");
>> end
>> ===
>>
>> The scenario is:
>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another
>> with same ip and different id after a period between 0 and 5 minutes the
>> rule have to retract the last one and keep the first fact (the older one)"
>>
>> After receiving hundred and hundred of facts via JMS that may match with
>> the
>> rule condition, the rule never throws!
>>
>> is the rule correct?
>> could the problem be at the rule engine implementation?
>>
>> Could anyone hel me please?
>>
>> Thanks in advance,
>>
>> nestabur
>> --
>> View this message in context:
>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
>> Sent from the drools - user mailing list archive at Nabble.com.
>>
>> ___
>> rules-users mailing list
>> rules-users@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Hi Edson,
Thanks for the fix, but the problem still happens :(
Here my complete .drl file:
package ArgosCorrelator
global com.s2grupo.triton.global.Context Context
declare MyFact
@role( event )
id: java.lang.Long
ip: String
end
rule "Rule1"
salience 2
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"ArgosCorrelator"
$s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id,
ip_dst == $s1.ip_dst, this after [5m] $s1) from entry-point
"ArgosCorrelator"
then
System.out.println("** Evento Snort Ejecutado" +
$s1.getData());
retract($s1);
end
rule "SnortRuleRetract"
salience 1
dialect "mvel"
when
$s1 : Snort( sig_name != "(portscan) Open Port") from entry-point
"ArgosCorrelator"
$s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id,
this after [0m,5m] $s1) from entry-point "ArgosCorrelator"
then
retract($s2);
System.out.println(" * Evento Snort Eliminado de la WM");
end
rule "SnortRule0"
salience 0
dialect "mvel"
when
$s1 : Snort( this.sig_name != "(portscan) Open Port") from
entry-point "ArgosCorrelator"
then
System.out.println("* Alerta Snort 0!!" + $s1.getData());
end
2009/7/21 Edson Tirelli
>
>Your rule is wrong, as you are defining 3 patterns and the second
> pattern is looking for a fact in the main entry point, not your defined
> "MyEntryPoint".
>Fix it doing:
>
> $s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after
> [0m,5m] $s1) from entry-point "MyEntryPoint"
>
>[]s
>Edson
>
> 2009/7/21 nestabur
>
>
>> Hi all,
>>
>> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>>
>> The rule is:
>> ===
>> rule "RetractOlderFacts"
>>dialect "mvel"
>>when
>>$s1 : MyModel( name != "aaa") from entry-point
>> "MyEntryPoint"
>>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
>> and MyModel (
>> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>>then
>>retract($s2);
>>System.out.println(" * Retracting from WM");
>> end
>> ===
>>
>> The scenario is:
>> "After receiving a fact "MyModel" wich name != "aaa", if arrives another
>> with same ip and different id after a period between 0 and 5 minutes the
>> rule have to retract the last one and keep the first fact (the older one)"
>>
>> After receiving hundred and hundred of facts via JMS that may match with
>> the
>> rule condition, the rule never throws!
>>
>> is the rule correct?
>> could the problem be at the rule engine implementation?
>>
>> Could anyone hel me please?
>>
>> Thanks in advance,
>>
>> nestabur
>> --
>> View this message in context:
>> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
>> Sent from the drools - user mailing list archive at Nabble.com.
>>
>> ___
>> rules-users mailing list
>> rules-users@lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/rules-users
>>
>
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
Re: [rules-users] CEP Rule Help Needed
Your rule is wrong, as you are defining 3 patterns and the second pattern
is looking for a fact in the main entry point, not your defined
"MyEntryPoint".
Fix it doing:
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1, this after [0m,5m]
$s1) from entry-point "MyEntryPoint"
[]s
Edson
2009/7/21 nestabur
>
> Hi all,
>
> I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
>
> The rule is:
> ===
> rule "RetractOlderFacts"
>dialect "mvel"
>when
>$s1 : MyModel( name != "aaa") from entry-point
> "MyEntryPoint"
>$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1)
> and MyModel (
> this after [0m,5m] $s1) from entry-point "MyEntryPoint"
>then
>retract($s2);
>System.out.println(" * Retracting from WM");
> end
> ===
>
> The scenario is:
> "After receiving a fact "MyModel" wich name != "aaa", if arrives another
> with same ip and different id after a period between 0 and 5 minutes the
> rule have to retract the last one and keep the first fact (the older one)"
>
> After receiving hundred and hundred of facts via JMS that may match with
> the
> rule condition, the rule never throws!
>
> is the rule correct?
> could the problem be at the rule engine implementation?
>
> Could anyone hel me please?
>
> Thanks in advance,
>
> nestabur
> --
> View this message in context:
> http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
> Sent from the drools - user mailing list archive at Nabble.com.
>
> ___
> rules-users mailing list
> rules-users@lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/rules-users
>
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
[rules-users] CEP Rule Help Needed
Hi all,
I'm getting crazy trying to create a CEP rule in droos 5.0.1 :(
The rule is:
===
rule "RetractOlderFacts"
dialect "mvel"
when
$s1 : MyModel( name != "aaa") from entry-point "MyEntryPoint"
$s2 : MyModel ( name != "aaa" , id != $s1.id, ip == $s1) and
MyModel (
this after [0m,5m] $s1) from entry-point "MyEntryPoint"
then
retract($s2);
System.out.println(" * Retracting from WM");
end
===
The scenario is:
"After receiving a fact "MyModel" wich name != "aaa", if arrives another
with same ip and different id after a period between 0 and 5 minutes the
rule have to retract the last one and keep the first fact (the older one)"
After receiving hundred and hundred of facts via JMS that may match with the
rule condition, the rule never throws!
is the rule correct?
could the problem be at the rule engine implementation?
Could anyone hel me please?
Thanks in advance,
nestabur
--
View this message in context:
http://www.nabble.com/CEP-Rule-Help-Needed-tp24591289p24591289.html
Sent from the drools - user mailing list archive at Nabble.com.
___
rules-users mailing list
rules-users@lists.jboss.org
https://lists.jboss.org/mailman/listinfo/rules-users
