In my case yes... 2009/7/23 Greg Barton <[email protected]>
> > So do you mean this didn't work: > > myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); > > for (Fact a : Facts) > ksession.getWorkingMemoryEntryPoint(correlatorName).insert(a); > > ...but this did? > > myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); > > for (Fact a : Facts) > myWorkingMemoryEP.insert(a); > > > --- On Thu, 7/23/09, Nestor Tarin Burriel <[email protected]> wrote: > > > From: Nestor Tarin Burriel <[email protected]> > > Subject: Re: [rules-users] CEP Rule Help Needed > > To: "Rules Users List" <[email protected]> > > Date: Thursday, July 23, 2009, 9:47 AM > > Finally I've solved my problem. It > > was in the engine: > > > > Looking the doc, for inserting a new fact into a stream of > > the working memory says: > > > > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(); > > > > > > Which is perfect but not for my enviroment ;), I was > > inserting the events in differents WM cause in each one I > > did > > ksession.getWorkingMemoryEntryPoint("MyEntryPoint").insert(myFact); > > so I solved it doing: > > > > > > myWorkingMemoryEP = > > ksession.getWorkingMemoryEntryPoint(correlatorName); > > > > for (Fact a : Facts) > > myWorkingMemoryEP.insert(a); > > > > I dont know if this is the correct use of EntryPoints bu it > > works! > > > > > > Thanks to everybody especially Greg and Priya :) > > > > 2009/7/23 PriyaKathan <[email protected]> > > > > Hi > > > > Find attached working example for CEP rule with the > > scenario you stated.Here I used Psuedo > > clock.Hope this would help you to understand > > better. > > Regards, > > > > Priya > > > > 2009/7/23 Nestor Tarin Burriel > > <[email protected]> > > > > > > Hi again Greg, > > > > I've tried your suggestion and it seems like the facts > > that is the rule checking are the same. > > > > This is my last try: > > > > rule "SnortRuleRetract" > > dialect "mvel" > > > > > > > > when > > $s1 : Snort( sig_name != "(portscan) > > Open Port") > > $s2 : Snort ( sig_name != > > "(portscan) Open Port" , id != $s1.id) > > then > > > > > > retract($s2); > > > > System.out.println(" ********* Deleting > > from WM"); > > end > > > > And is never fired ... > > > > There are no more rules in the package, this is the only > > one ... so I don't understand anything ... could be the > > error in the engine? I dont retract any fact ... as you can > > see in my code ... > > > > > > > > > > NEStor > > > > 2009/7/23 Nestor Tarin Burriel > > <[email protected]> > > > > > > > > Yes, that is the purpose ;) > > > > I will try ;) > > > > Thanks 4 your help > > > > 2009/7/22 Greg Barton <[email protected]> > > > > > > > > > > > > > > Ah, overlooked that second rule. Have you tried the > > overlap operator? > > > > > > > > So, just to clarify, the purpose of the two rules should > > be: > > > > > > > > SnortRule: If two Snort events that are not port scans of > > an open port on the same destination arrive more than 5 > > minutes apart, delete the earlier one. > > > > > > > > SnortRuleRetract: If two Snort events that are not port > > scans of an open port on any two destinations arrive within > > 5 minutes of each other, delete the earlier one. > > > > > > > > Have you tried removing the temporal operators completely, > > just for testing purposes? What happens? i.e. > > > > > > > > "TimelessSnortRule" > > > > $s1 : Snort( sig_name != "(portscan) > > Open Port") from entry-point "Correlator" > > > > $s2 : Snort( sig_name != "(portscan) > > Open Port" , id != $s1.id, ip_dst == $s1.ip_dst) from > > entry-point "Correlator" > > > > > > > > "TimelessSnortRuleRetract" > > > > $s1 : Snort( sig_name != "(portscan) > > Open Port") from entry-point "Correlator" > > > > $s2 : Snort ( sig_name != > > "(portscan) Open Port" , id != $s1.id) from > > entry-point "Correlator" > > > > > > > > > > > > --- On Wed, 7/22/09, Nestor Tarin Burriel <[email protected]> > > wrote: > > > > > > > > > From: Nestor Tarin Burriel <[email protected]> > > > > > Subject: Re: [rules-users] CEP Rule Help Needed > > > > > To: "Rules Users List" <[email protected]> > > > > > Date: Wednesday, July 22, 2009, 1:47 PM > > > > > Thanks Greg, > > > > > > > > > > As you can see in the code I sent, I have the 2 > > > > > implementations: > > > > > > > > > > "SnortRule" > > > > > > > > > > $s1 : Snort( sig_name != > > > > > "(portscan) Open Port") from entry-point > > > > > "Correlator" > > > > > > > > > > $s2 : Snort( sig_name != > > "(portscan) > > > > > Open Port" , id != $s1.id, ip_dst == > > $s1.ip_dst, this > > > > > after [5m] $s1) from entry-point > > "Correlator" > > > > > > > > > > > > > > > "SnortRuleRetract" > > > > > $s1 : Snort( sig_name != > > > > > "(portscan) Open Port") from entry-point > > > > > "Correlator" > > > > > $s2 : Snort ( sig_name != > > "(portscan) > > > > > Open Port" , id != $s1.id, this after > > [0m,5m] $s1) from > > > > > entry-point "Correlator" > > > > > > > > > > > > > > > and any of them are thrown > > > > > > > > > > ... > > > > > > > > > > 2009/7/22 Greg Barton <[email protected]> > > > > > > > > > > > > > > > > > > > > Maybe this is a problem of language. Here's what > > you > > > > > say the rule should do: > > > > > > > > > > > > > > > > > > > > 'After receiving a fact "MyModel" wich > > name > > > > > != "aaa", if arrives another > > > > > > > > > > with same ip and different id after a > > > > > period between 0 and 5 minutes the > > > > > > > > > > rule have to retract the last one and keep the first > > > > > fact (the older one)' > > > > > > > > > > > > > > > > > > > > Which I would interpret as "Event 1 comes in, > > then > > > > > event 2 comes in between 0 and 5 minutes later." > > Does > > > > > that sound right? > > > > > > > > > > > > > > > > > > > > And here's the rule that you think fits the > > > > > requirements: > > > > > > > > > > > > > > > > > > > > rule "SnortRule" > > > > > > > > > > salience 2 > > > > > > > > > > dialect "mvel" > > > > > > > > > > when > > > > > > > > > > $s1 : Snort( sig_name != "(portscan) > > Open > > > > > Port") from entry-point "Correlator" > > > > > > > > > > $s2 : Snort( sig_name != "(portscan) > > Open > > > > > Port" , id != $s1.id, ip_dst == $s1.ip_dst, this > > > > > after [5m] $s1) from entry-point > > "Correlator" > > > > > > > > > > then > > > > > > > > > > > > System.out.println("****************** > > > > > Snort Alert!!!!" + $s1.getData()); > > > > > > > > > > retract($s1); > > > > > > > > > > end > > > > > > > > > > > > > > > > > > > > Check out the docs, though: > > > > > > > > > > > > > > > > > > > > > https://hudson.jboss.org/hudson/job/drools/lastSuccessfulBuild/artifact/trunk/target/docs/drools-fusion/html_single/index.html#d0e622 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > The after operator in this case would check that (5m > > <= > > > > > $s2.startTimestamp - $s1.endTimeStamp <= > > +infinity). > > > > > > > > > > > > > > > > > > > > So the rule actually implements "Event 1 comes > > in, > > > > > then event 2 happens at leat 5 minutes later." > > > > > > > > > > > > > > > > > > > > If you use the second argument of after I think it > > would > > > > > work: > > > > > > > > > > > > > > > > > > > > $s2 : Snort( sig_name != "(portscan) Open > > Port" , > > > > > id != $s1.id, ip_dst == $s1.ip_dst, this > > > > > after [0m,5m] $s1) from entry-point > > "Correlator" > > > > > > > > > > > > > > > > > > > > According to the docs this should check that (0m > > <= > > > > > $s2.startTimestamp - $s1.endTimeStamp <= 5m). > > > > > > > > > > > > > > > > > > > > You could alternately use "overlaps". > > Place an > > > > > @duration(5m) annotation on the Snort declaration and > > try > > > > > this condition: > > > > > > > > > > > > > > > > > > > > $s2 : Snort( sig_name != "(portscan) Open > > Port" , > > > > > id != $s1.id, ip_dst == $s1.ip_dst, this > > > > > overlaps $s1) from entry-point "Correlator" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > > > > > > > rules-users mailing list > > > > > > > > > > [email protected] > > > > > > > > > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > > > > > > > > > > > > > > > > > > > > > -----Inline Attachment Follows----- > > > > > > > > > > _______________________________________________ > > > > > rules-users mailing list > > > > > [email protected] > > > > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > rules-users mailing list > > > > [email protected] > > > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > > > > > > > > > > _______________________________________________ > > > > rules-users mailing list > > > > [email protected] > > > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > > > > > > > > -- > > Regards, > > PriyaKathan > > > > > > > > _______________________________________________ > > > > rules-users mailing list > > > > [email protected] > > > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > > > > > > > > -----Inline Attachment Follows----- > > > > _______________________________________________ > > rules-users mailing list > > [email protected] > > https://lists.jboss.org/mailman/listinfo/rules-users > > > > > > > _______________________________________________ > rules-users mailing list > [email protected] > https://lists.jboss.org/mailman/listinfo/rules-users >
_______________________________________________ rules-users mailing list [email protected] https://lists.jboss.org/mailman/listinfo/rules-users
