M M
Reputation: 31
How to accumulate facts with same field value in drools
I've written a rule for alerting ssh event with "failed password". This rule is here:
rule "Hello World"
when
accumulate(m:Message(eventType=="Failed password") over window:time( 59s );s:count(m);s>3)
then
System.out.println( "success" );
Alert alert=new Alert("ssh","test");
insert(alert);
end
This is working for the first scenario. But I want to extend this rule. I want to accumulate ssh event with "failed password" for with the same Src_ip address. For example, if I have 4 failed password ssh event in 59s from three different src_ip, the rule does not match, but when I have 4 failed password ssh event in 59s from one src_ip, rule matches. How I should rewrite this rule for this scenario.
Upvotes: 0
Views: 1936
Answers (1)
laune
Reputation: 31290
You need one Message to pick a certain IP address; then you can accumulate others with the same value.
rule "Four or more"
when
$ml: Message( eventType == "Failed password", $ip: src_ip )
not Message( eventType == "Failed password", src_ip == $ip, this after $ml )
accumulate( Message(eventType == "Failed password", src_ip == $ip )
over window:time( 59s ); s:count(1); s > 3 )
then
System.out.println( "success" );
Alert alert=new Alert("ssh","test");
insert(alert);
end
Upvotes: 0
Related Questions
- Drools - Accumulate logic
- How to condition with accumulate in drools
- Using the equivalent of 'not exists' within drools accumulate
- Drools sequence of events with accumulate function
- Drools - How to accumulate facts that don't share a property with a fact in working memory
- Drools accumulate method that returns zero if no matching source fact