Srini, Thank you very much.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of VGore Sent: Tuesday, August 13, 2013 2:12 PM To: [email protected] Subject: Re: [rules-users] Is my use case suuported in Drools? This sample address bruteforce attack to capture login failure. --------------------------------------------------------------------------------------------------- declare Event @role( event ) @timestamp( eventTime ) @expires (60s) end declare CorrelationEvent @role( event ) end rule "CorrelationLogin Level 1" dialect "mvel" no-loop when $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress : dipaddress, $type : type == "LOGIN", $result : result =="FAILED") over window:time(50s) from entry-point EventStream not CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress == $dipaddress) then CorrelationEvent ce = new CorrelationEvent(); ce.setSipaddress($e1.sipaddress); ce.setDipaddress($e1.dipaddress); ce.setLevel(1); ce.setEventCount(1); insert( ce ); end rule "CorrelationLogin Level 2" dialect "mvel" no-loop when $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress : dipaddress, $type : type == "LOGIN", $result : result =="FAILED") over window:time(50s) from entry-point EventStream $ce : CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress == $dipaddress, this.level == 1, $eventCount : this.eventCount < 10) then $ce.setEventCount($eventCount+1); if($ce.getEventCount() == 10) { $ce.setLevel(2); } modify( $ce ); end rule "CorrelationLogin Level 3" dialect "mvel" no-loop when $e1 : Event($id : id, $sipaddress : sipaddress, $dipaddress : dipaddress, $type : type == "LOGIN", $result : result =="FAILED") over window:time(50s) from entry-point EventStream $ce : CorrelationEvent(this.sipaddress == $sipaddress, this.dipaddress == $dipaddress, this.level == 2, $eventCount : this.eventCount < 40) then $ce.setEventCount($eventCount+1); if($ce.getEventCount() == 40) { $ce.setLevel(3); } modify( $ce ); end ---------------------------------------------------------------------------------------------------- -- View this message in context: http://drools.46999.n3.nabble.com/rules-users-Is-my-use-case-suuported-in-Drools-tp4025445p4025498.html Sent from the Drools: User forum mailing list archive at Nabble.com. _______________________________________________ rules-users mailing list [email protected] https://lists.jboss.org/mailman/listinfo/rules-users Email secured by Check Point _______________________________________________ rules-users mailing list [email protected] https://lists.jboss.org/mailman/listinfo/rules-users
