beave
Error with variables for alert_time keyword
Summary: When implementing a rule set for a customer utilizing the alert_time keyword coupled with custom Day and Hours variables an error is given stating:
"[E] [04/19/2022 17:27:03] - [rules.c, line 3020] To many days (12345_M_F) in 'alert_time' in /usr/local/etc/sagan-rules/custom.rules at line 1, Abort."
RULE - placed in customer alerts file named CUSTOMER.rules
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Custom Rule - Testing alert_time"; event_id: 636,4732; content: "Group|3a| Security ID|3a| S-1-5-32-544 "; meta_content: "%sagan%",$MAINTENANCE_ALERTS_USERS; alert_time: days $SAGAN_DAYS_M_F, hours $SAGAN_HOURS_M_F; program: Security; classtype: successful-admin; sid:8200000; rev:1;)
VARIABLE placed in sagan-network.yaml
SAGAN_DAYS_M_F: "012345"
SAGAN_HOURS_M_F: "2200-1200"
To Reproduce Steps to reproduce the behavior:
- Implemented custom customer rule in CUSTOMER.rules file
- Placed aforementioned custom variables in sagan-network.yaml.
- Attempting to turn on sagan using systemctl results in error described above.
- See error
Expected behavior No errors when implementing rule and rule to look for events occurring during specified days and hours
** Context ** 2 separate analysts attempting on customer sensor from work issued Dell laptop as well as one analyst replicating in test sagan environment.
Relevant errors:
https://github.com/quadrantsec/sagan/blob/2994998281d63862e3b32646c04200adf09b41ea/src/rules.c#L3020
https://github.com/quadrantsec/sagan/blob/2994998281d63862e3b32646c04200adf09b41ea/src/rules.c#L3055
