Source code for suricata_check.checkers.community._best

 1"""`BestChecker`."""
 2
 3import logging
 4from types import MappingProxyType
 5
 6from suricata_check.checkers.interface import CheckerInterface
 7from suricata_check.utils.checker import (
 8    get_rule_option,
 9    is_rule_option_set,
10    is_rule_suboption_set,
11)
12from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
13from suricata_check.utils.rule import Rule
14
15


[docs]
16class BestChecker(CheckerInterface):
17    """The `BestChecker` contains several checks for best practices to improve the experience of Suricata rules for everyone.
18
19    Codes C100-C110 report on missing fields that should be set.
20    """
21
22    codes = MappingProxyType(
23        {
24            "C100": {"severity": logging.INFO},
25            "C101": {"severity": logging.INFO},
26            "C102": {"severity": logging.INFO},
27        },
28    )
29
30    def _check_rule(
31        self: "BestChecker",
32        rule: Rule,
33    ) -> ISSUES_TYPE:
34        issues: ISSUES_TYPE = []
35
36        if not (
37            is_rule_option_set(rule, "noalert")
38            or is_rule_suboption_set(rule, "flowbits", "noalert")
39        ) and not is_rule_option_set(rule, "target"):
40            issues.append(
41                Issue(
42                    code="C100",
43                    message="""\
44The rule does not use the `target` Suricata meta option.
45Consider adding the `target` option to specify which IP address is the target of the attack.\
46""",
47                ),
48            )
49
50        if not is_rule_suboption_set(rule, "metadata", "created_at"):
51            issues.append(
52                Issue(
53                    code="C101",
54                    message="""\
55The rule does not use set the `created_at` metadata option.
56Consider adding the `created_at` metadata option to inform users of the recency of this signature.\
57""",
58                ),
59            )
60
61        if (
62            is_rule_option_set(rule, "rev")
63            and int(get_rule_option(rule, "rev")) > 1  # type: ignore reportArgumentType
64            and not is_rule_suboption_set(rule, "metadata", "updated_at")
65        ):
66            issues.append(
67                Issue(
68                    code="C102",
69                    message="""\
70The rule does not use set the `updated_at` metadata option while it has been revised since creation.
71Consider adding the `updated_at` metadata option to inform users of the recency of this signature.\
72""",
73                ),
74            )
75
76        return issues