#####
# Most of the rules here are taken from the SEC documentation.
# Contexts in this ruleset should be prefixed with HOURS_
#####


# Business Hours- applies 6:00am - 8:59pm, M-F
# Off hours -  9:00pm - 5:59am M-F and all day Sat and Sun.
# Set every minute by the calendar rules below
# See  crontab(5)
#
# Three calendars are needed since calendar is run every minute
# and we don't actually know when SEC will be started (or restarted)
#
#
# Calendar Rule (1 of 3)
# Sets HOURS_BUSINESS_HOURS
type=Calendar
time=* 6-20 * * 1,2,3,4,5
desc=HOURS_BUSINESS_HOURS
context=!HOURS_BUSINESS_HOURS
action=create %s;\
       write - Switched to Business Hours;\
       delete HOURS_OFF_HOURS;

# Calendar Rule (2 of 3)
# Sets HOURS_OFF_HOURS during M-F
type=Calendar
time=* 0-5,21-23 * * *
context=!HOURS_OFF_HOURS
desc=HOURS_OFF_HOURS
action=create %s;\
       write - Switched to Off Hours;\
       delete HOURS_BUSINESS_HOURS;

# Calendar Rule (3 of 3)
# Set HOURS_OFF_HOURS during Sat,Sun
type=Calendar
time=* * * * 6,7
context=!HOURS_OFF_HOURS
desc=HOURS_OFF_HOURS
action=create %s;\
       write - Switched to Off Hours;\
       delete HOURS_BUSINESS_HOURS;

# Suppress info and low events
type=Suppress
ptype=IDMEF
pattern=assessment.impact.severity: (info|low)

# Detect off-hours system activity
# Looks for analyzer classes that shouldn't be triggered during off-hours
# periods, and creates an alert
type=Single
ptype=IDMEF
context=HOURS_OFF_HOURS
pattern=messageid: (.+); \
	analyzer(-1).class: Integrity Checker|Remote Login|Authentication; \
	analyzer(-1).analyzerid: (.*); \
	analyzer(-2).analyzerid: (.*); \
	assessment.impact.completion: succeeded;
continue=TakeNext
desc=assessment.impact.severity=high; \
     correlation_alert.name=Critical system activity on day off; \
     correlation_alert.alertident(>>).alertident=$1; \
     correlation_alert.alertident(-1).analyzerid=%analyzerid; \
     additional_data(>>).data = ignore_atomic_event; 
action=eval %analyzerid ("$2" || "$3"); prelude %s