In its most general form, any packet has a number of fields. These will have
to be extracted from the byte array and used to create a Java object of some
Message (sub)type. Including the payload data in the filter conditions
complicates matters as you probably don't want to restrict yourself to
certain known layouts for the payload.
As for the fixed (header) fields, filter conditions may refer to an
arbitrary number of fields. The condition for a single field (assuming they
can all be represented as integers or longs) might be a range or a set of
discrete values. This means that you cannot write a fixed set of rules
unless you were always filtering for the same set of values.
You have two options:
(a) Design a "little language" (i.e., what is usually called a Domain
Specific Language) for writing your filter conditions, and a (simple)
compiler to generate the Jess CLP from a condition set.
(b) Write rules, for each field, one matching against a range and another
one against a Set. The setup process would take the actual conditions for
some of these fields and generate a Parameter fact defining the range bounds
or set elements, respectively. Each rule would then combine a Parameter fact
with a Message fact and a
Result fact, for bookkeeping.
(defrule RangeSourcePort
(RangeParameter (field sourcePort)(low ?low)(high ?high))
(Message {?low <= sourcePort && sourcePort <= ?high})
?r <- (Result (count ?count))
=>
(modify ?r (count (+ 1 ?count)))
)
A couple of low-salience rules, firing after all the test rules, determine
whether the match count has reached the required limit, either passing the
Message as filtered, or discarding it.
If you need to include arbitrary conditions on the payload, you are going to
have some fun designing ways for defining these conditions in the first
place; as this is going way beyond Jess I refrain from launching into a
lengthy discussion. Assuming that, at the end of the day, you have an object
representing the conditions, and providing a method
boolean check( byte[] data )
you could include another rule that deals with the data field of the
message, calling this check method.
HTH
Wolfgang
On Mon, Apr 27, 2009 at 11:33 PM, jamel guessoum <[email protected]>wrote:
> Hi all,,,
>
> I am new to Jess and to this forum and i have a question:
>
> is there any documentation on how to write packet (TCP,UDP,ICMP ....)
> filtering rules with Jess.
>
> Or if someone can help in writing this type of rules.
>
> Thanks.
>
>
>
> ------------------------------
> check out the rest of the Windows Live™. More than mail–Windows Live™ goes
> way beyond your inbox. More than
> messages<http://www.microsoft.com/windows/windowslive/>
>
