Scheduling with SESSION_START examples
Use SESSION_START to define when the session-level rules are active. The following examples show how to use the Session start time range parameter.
SR language examples
Example 1: Ignore any session that starts outside of normal working hours (in this case after 7
PM and before 8 AM) and is labeled as a NIGHT_JOB.
- Session level criteria:
- Session start time range ! = [08:00..19:00]
- Rule action = IGNORE REQUEST
- Request type = SQL
- Search pattern = NIGHT_JOB
Example 2: In many configurations, the database server and the collector are located in different
time zones. For example, suppose that the database server is installed in San Francisco (Pacific
time, which is UTC-8) and the collector is installed in Boston (Eastern Time, UTC-5). In this case,
you need to specify both the session range and the time zone offset (as Coordinated Universal Time
[UTC]).
- Session level criteria:
- Session start time range = [08:00..19:00, -8]
- Rule action = SELECT SESSION
Example 3. Discard any session that runs between 8:00 PM and 8:30 PM that also meets all of the
following criteria:
- The session comes from an S-TAP with IP address 25.25.25.25.
- The server port is 1422 (an MS SQL instance).
- The database user is Sirius.
- Session level criteria:
- Database user = Sirius
- Server port = 1433
- Sender IP address = 25.25.25.25
- Session start time range = [20:00..20:30]
- Rule action = DISCARD SESSION
SR language examples
Example 1:
SR_POLICIES
{
IF (SESSION_START = [08:00..19:00,-8] )
{
SELECT_SESSION
}
}
Example 2:
SR_POLICIES
{
IF (SESSION_START != [08:00..19:00] )
{
IGNORE_REQUEST REQ_TYPE = SQL SEARCH_PATTERN = 'NIGHT_JOB'
}
}
Example 3:
SR_POLICIES
{
IF (SENDER_IP = '25.25.25.25' SERVER_PORT = 1433 DB_USER = 'sirius' SESSION_START = [20:00..20:30] )
{
DISCARD_SESSION
}
}