Hi Find attached working example for CEP rule with the scenario you stated. Here I used Psuedo clock. Hope this would help you to understand better.
Regards, Priya 2009/7/23 Nestor Tarin Burriel <[email protected]> > Hi again Greg, > > I've tried your suggestion and it seems like the facts that is the rule > checking are the same. > > This is my last try: > > rule "SnortRuleRetract" > dialect "mvel" > when > $s1 : Snort( sig_name != "(portscan) Open Port") > $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) > then > retract($s2); > System.out.println(" ********* Deleting from WM"); > end > > And is never fired ... > > There are no more rules in the package, this is the only one ... so I don't > understand anything ... could be the error in the engine? I dont retract any > fact ... as you can see in my code ... > > NEStor > > 2009/7/23 Nestor Tarin Burriel <[email protected]> > > Yes, that is the purpose ;) >> >> I will try ;) >> >> Thanks 4 your help >> >> >> 2009/7/22 Greg Barton <[email protected]> >> >>> >>> Ah, overlooked that second rule. Have you tried the overlap operator? >>> >>> So, just to clarify, the purpose of the two rules should be: >>> >>> SnortRule: If two Snort events that are not port scans of an open port on >>> the same destination arrive more than 5 minutes apart, delete the earlier >>> one. >>> >>> SnortRuleRetract: If two Snort events that are not port scans of an open >>> port on any two destinations arrive within 5 minutes of each other, delete >>> the earlier one. >>> >>> Have you tried removing the temporal operators completely, just for >>> testing purposes? What happens? i.e. >>> >>> "TimelessSnortRule" >>> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point >>> "Correlator" >>> $s2 : Snort( sig_name != "(portscan) Open Port" , id != $s1.id, >>> ip_dst == $s1.ip_dst) from entry-point "Correlator" >>> >>> "TimelessSnortRuleRetract" >>> $s1 : Snort( sig_name != "(portscan) Open Port") from entry-point >>> "Correlator" >>> $s2 : Snort ( sig_name != "(portscan) Open Port" , id != $s1.id) >>> from entry-point "Correlator" >>> >>> >>> --- On Wed, 7/22/09, Nestor Tarin Burriel <[email protected]> wrote: >>> >>> > From: Nestor Tarin Burriel <[email protected]> >>> > Subject: Re: [rules-users] CEP Rule Help Needed >>> > To: "Rules Users List" <[email protected]> >>> > Date: Wednesday, July 22, 2009, 1:47 PM >>> > Thanks Greg, >>> > >>> > As you can see in the code I sent, I have the 2 >>> > implementations: >>> > >>> > "SnortRule" >>> > >>> > $s1 : Snort( sig_name != >>> > "(portscan) Open Port") from entry-point >>> > "Correlator" >>> > >>> > $s2 : Snort( sig_name != "(portscan) >>> > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst, this >>> > after [5m] $s1) from entry-point "Correlator" >>> > >>> > >>> > "SnortRuleRetract" >>> > $s1 : Snort( sig_name != >>> > "(portscan) Open Port") from entry-point >>> > "Correlator" >>> > $s2 : Snort ( sig_name != "(portscan) >>> > Open Port" , id != $s1.id, this after [0m,5m] $s1) from >>> > entry-point "Correlator" >>> > >>> > >>> > and any of them are thrown >>> > >>> > ... >>> > >>> > 2009/7/22 Greg Barton <[email protected]> >>> > >>> > >>> > >>> > Maybe this is a problem of language. Here's what you >>> > say the rule should do: >>> > >>> > >>> > >>> > 'After receiving a fact "MyModel" wich name >>> > != "aaa", if arrives another >>> > >>> > with same ip and different id after a >>> > period between 0 and 5 minutes the >>> > >>> > rule have to retract the last one and keep the first >>> > fact (the older one)' >>> > >>> > >>> > >>> > Which I would interpret as "Event 1 comes in, then >>> > event 2 comes in between 0 and 5 minutes later." Does >>> > that sound right? >>> > >>> > >>> > >>> > And here's the rule that you think fits the >>> > requirements: >>> > >>> > >>> > >>> > rule "SnortRule" >>> > >>> > salience 2 >>> > >>> > dialect "mvel" >>> > >>> > when >>> > >>> > $s1 : Snort( sig_name != "(portscan) Open >>> > Port") from entry-point "Correlator" >>> > >>> > $s2 : Snort( sig_name != "(portscan) Open >>> > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this >>> > after [5m] $s1) from entry-point "Correlator" >>> > >>> > then >>> > >>> > System.out.println("****************** >>> > Snort Alert!!!!" + $s1.getData()); >>> > >>> > retract($s1); >>> > >>> > end >>> > >>> > >>> > >>> > Check out the docs, though: >>> > >>> > >>> > >>> > >>> https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 >>> > >>> > >>> > >>> > >>> > The after operator in this case would check that (5m <= >>> > $s2.startTimestamp - $s1.endTimeStamp <= +infinity). >>> > >>> > >>> > >>> > So the rule actually implements "Event 1 comes in, >>> > then event 2 happens at leat 5 minutes later." >>> > >>> > >>> > >>> > If you use the second argument of after I think it would >>> > work: >>> > >>> > >>> > >>> > $s2 : Snort( sig_name != "(portscan) Open Port" , >>> > id != $s1.id, ip_dst == $s1.ip_dst, this >>> > after [0m,5m] $s1) from entry-point "Correlator" >>> > >>> > >>> > >>> > According to the docs this should check that (0m <= >>> > $s2.startTimestamp - $s1.endTimeStamp <= 5m). >>> > >>> > >>> > >>> > You could alternately use "overlaps". Place an >>> > @duration(5m) annotation on the Snort declaration and try >>> > this condition: >>> > >>> > >>> > >>> > $s2 : Snort( sig_name != "(portscan) Open Port" , >>> > id != $s1.id, ip_dst == $s1.ip_dst, this >>> > overlaps $s1) from entry-point "Correlator" >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > _______________________________________________ >>> > >>> > rules-users mailing list >>> > >>> > [email protected] >>> > >>> > https://lists.jboss.org/mailman/listinfo/rules-users >>> > >>> > >>> > >>> > >>> > -----Inline Attachment Follows----- >>> > >>> > _______________________________________________ >>> > rules-users mailing list >>> > [email protected] >>> > https://lists.jboss.org/mailman/listinfo/rules-users >>> > >>> >>> >>> >>> >>> _______________________________________________ >>> rules-users mailing list >>> [email protected] >>> https://lists.jboss.org/mailman/listinfo/rules-users >>> >> >> > > _______________________________________________ > rules-users mailing list > [email protected] > https://lists.jboss.org/mailman/listinfo/rules-users > > -- Regards, PriyaKathan
CEPExample.rar
Description: Binary data
_______________________________________________ rules-users mailing list [email protected] https://lists.jboss.org/mailman/listinfo/rules-users
