You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Summary: When implementing a rule set for a customer utilizing the alert_time keyword coupled with custom Day and Hours variables an error is given stating:
"[E] [04/19/2022 17:27:03] - [rules.c, line 3020] To many days (12345_M_F) in 'alert_time' in /usr/local/etc/sagan-rules/custom.rules at line 1, Abort."
RULE - placed in customer alerts file named CUSTOMER.rules
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Custom Rule - Testing alert_time"; event_id: 636,4732; content: "Group|3a| Security ID|3a| S-1-5-32-544 "; meta_content: "%sagan%",$MAINTENANCE_ALERTS_USERS; alert_time: days $SAGAN_DAYS_M_F, hours $SAGAN_HOURS_M_F; program: Security; classtype: successful-admin; sid:8200000; rev:1;)
Implemented custom customer rule in CUSTOMER.rules file
Placed aforementioned custom variables in sagan-network.yaml.
Attempting to turn on sagan using systemctl results in error described above.
See error
Expected behavior
No errors when implementing rule and rule to look for events occurring during specified days and hours
** Context **
2 separate analysts attempting on customer sensor from work issued Dell laptop as well as one analyst replicating in test sagan environment.
The text was updated successfully, but these errors were encountered:
Summary: When implementing a rule set for a customer utilizing the alert_time keyword coupled with custom Day and Hours variables an error is given stating:
"[E] [04/19/2022 17:27:03] - [rules.c, line 3020] To many days (12345_M_F) in 'alert_time' in /usr/local/etc/sagan-rules/custom.rules at line 1, Abort."
RULE - placed in customer alerts file named CUSTOMER.rules
alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Custom Rule - Testing alert_time"; event_id: 636,4732; content: "Group|3a| Security ID|3a| S-1-5-32-544 "; meta_content: "%sagan%",$MAINTENANCE_ALERTS_USERS; alert_time: days $SAGAN_DAYS_M_F, hours $SAGAN_HOURS_M_F; program: Security; classtype: successful-admin; sid:8200000; rev:1;)
VARIABLE placed in sagan-network.yaml
To Reproduce
Steps to reproduce the behavior:
Expected behavior
No errors when implementing rule and rule to look for events occurring during specified days and hours
** Context **
2 separate analysts attempting on customer sensor from work issued Dell laptop as well as one analyst replicating in test sagan environment.
The text was updated successfully, but these errors were encountered: