1"""`UnexpectedChecker`."""
2
3import logging
4from types import MappingProxyType
5
6from suricata_check.checkers.interface import CheckerInterface
7from suricata_check.utils.checker import (
8 is_rule_option_set,
9 is_rule_suboption_set,
10)
11from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
12from suricata_check.utils.rule import Rule
13
14
[docs]
15class UnexpectedChecker(CheckerInterface):
16 """The `UnexpectedChecker` contains several checks for unexpected Suricata behavior that users may not anticipate.
17
18 Codes C000-C010 report on unexpected behavior.
19 """
20
21 codes = MappingProxyType(
22 {
23 "C000": {"severity": logging.WARNING},
24 },
25 )
26
27 def _check_rule(
28 self: "UnexpectedChecker",
29 rule: Rule,
30 ) -> ISSUES_TYPE:
31 issues: ISSUES_TYPE = []
32
33 if (
34 is_rule_suboption_set(rule, "flowbits", "set")
35 or is_rule_suboption_set(rule, "xbits", "set")
36 ) and (is_rule_option_set(rule, "threshold")):
37 issues.append(
38 Issue(
39 code="C000",
40 message="""\
41The rule uses the Suricata threshold option in combination with the setting of flowbits or xbits.
42Note that the flowbit or xbit will be set on every match regardless of whether the threshold is reached.
43Consider removing the `threshold` option from the rule to prevent confusion.\
44""",
45 ),
46 )
47
48 return issues