Summary: When implementing a rule set for a customer utilizing the alert_time keyword coupled with custom Day and Hours variables an error is given stating:

"[E] [04/19/2022 17:27:03] - [rules.c, line 3020] To many days (12345_M_F) in 'alert_time' in /usr/local/etc/sagan-rules/custom.rules at line 1, Abort."

RULE - placed in customer alerts file named CUSTOMER.rules

alert any $EXTERNAL_NET any -> $HOME_NET any (msg:"Custom Rule - Testing alert_time"; event_id: 636,4732; content: "Group|3a| Security ID|3a| S-1-5-32-544 "; meta_content: "%sagan%",$MAINTENANCE_ALERTS_USERS; alert_time: days $SAGAN_DAYS_M_F, hours $SAGAN_HOURS_M_F; program: Security; classtype: successful-admin; sid:8200000; rev:1;)

VARIABLE placed in sagan-network.yaml

SAGAN_DAYS_M_F: "012345"

SAGAN_HOURS_M_F: "2200-1200"

To Reproduce
Steps to reproduce the behavior:

1. Implemented custom customer rule in CUSTOMER.rules file
2. Placed aforementioned custom variables in sagan-network.yaml.
3. Attempting to turn on sagan using systemctl results in error described above.
4. See error

Expected behavior
No errors when implementing rule and rule to look for events occurring during specified days and hours

** Context **
2 separate analysts attempting on customer sensor from work issued Dell laptop as well as one analyst replicating in test sagan environment.