Re: [rules-users] CEP Rule Help Needed

: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule

Re: [rules-users] CEP Rule Help Needed

Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can

Re: [rules-users] CEP Rule Help Needed

...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2 implementations

Re: [rules-users] CEP Rule Help Needed

Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22

Re: [rules-users] CEP Rule Help Needed

); for (Fact a : Facts) myWorkingMemoryEP.insert(a); --- On Thu, 7/23/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Thursday, July 23, 2009, 9

Re: [rules-users] CEP Rule Help Needed

? myWorkingMemoryEP = ksession.getWorkingMemoryEntryPoint(correlatorName); for (Fact a : Facts) myWorkingMemoryEP.insert(a); --- On Thu, 7/23/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules

Re: [rules-users] CEP Rule Help Needed

Hi Edson, Thanks for the fix, but the problem still happens :( Here my complete .drl file: package ArgosCorrelator global com.s2grupo.triton.global.Context Context declare MyFact @role( event ) id: java.lang.Long ip: String end rule Rule1 salience 2 dialect mvel when

Re: [rules-users] CEP Rule Help Needed

Hi Edson, Thanks for the fix, but the problem still happens :( Here my complete .drl file: package Correlator global com.s2grupo.triton.global.Context Context declare Snort @role( event ) icmp_code: String tcp_sport: String data: String sig_rev: String tcp_dport: String

Re: [rules-users] CEP Rule Help Needed

Hi again, Here the info from my engine execution: KnowledgeBaseConfiguration config = KnowledgeBaseFactory.newKnowledgeBaseConfiguration(); config.setOption( EventProcessingOption.STREAM ); KnowledgeBase kbase = KnowledgeBaseFactory.newKnowledgeBase(config);

Re: [rules-users] CEP Rule Help Needed

--- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: So I dont understand why my CEP rules never fires ... Ah, the eternal lament of the rules developer. :) Have you tried removing conditions until it does fire? ___

Re: [rules-users] CEP Rule Help Needed

Yes, :( Did you see some errors at the rule? 2009/7/22 Greg Barton greg_bar...@yahoo.com --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: So I dont understand why my CEP rules never fires ... Ah, the eternal lament of the rules developer. :) Have you tried removing

Re: [rules-users] CEP Rule Help Needed

Maybe this is a problem of language. Here's what you say the rule should do: 'After receiving a fact MyModel wich name != aaa, if arrives another with same ip and different id after a period between 0 and 5 minutes the rule have to retract the last one and keep the first fact (the older one)'

Re: [rules-users] CEP Rule Help Needed

Thanks Greg, As you can see in the code I sent, I have the 2 implementations: SnortRule $s1 : Snort( sig_name != (portscan) Open Port) from entry-point Correlator $s2 : Snort( sig_name != (portscan) Open Port , id != $s1.id, ip_dst == $s1.ip_dst, this after [5m] $s1) from

Re: [rules-users] CEP Rule Help Needed

Correlator $s2 : Snort ( sig_name != (portscan) Open Port , id != $s1.id) from entry-point Correlator --- On Wed, 7/22/09, Nestor Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules

Re: [rules-users] CEP Rule Help Needed

Tarin Burriel nesta...@gmail.com wrote: From: Nestor Tarin Burriel nesta...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Wednesday, July 22, 2009, 1:47 PM Thanks Greg, As you can see in the code I sent, I have the 2

Re: [rules-users] CEP Rule Help Needed

Without @timestamp the event time is the insertion time. --- On Thu, 7/23/09, PriyaKathan nash.8...@gmail.com wrote: From: PriyaKathan nash.8...@gmail.com Subject: Re: [rules-users] CEP Rule Help Needed To: Rules Users List rules-users@lists.jboss.org Date: Thursday, July 23, 2009, 12:37 AM

[rules-users] CEP Rule Help Needed

Hi all, I'm getting crazy trying to create a CEP rule in droos 5.0.1 :( The rule is: === rule RetractOlderFacts dialect mvel when $s1 : MyModel( name != aaa) from entry-point MyEntryPoint $s2 : MyModel ( name != aaa , id != $s1.id, ip

Re: [rules-users] CEP Rule Help Needed

Your rule is wrong, as you are defining 3 patterns and the second pattern is looking for a fact in the main entry point, not your defined MyEntryPoint. Fix it doing: $s2 : MyModel ( name != aaa , id != $s1.id, ip == $s1, this after [0m,5m] $s1) from entry-point MyEntryPoint []s Edson