1"""`UnexpectedChecker`."""
2
3import logging
4
5import idstools.rule
6
7from suricata_check.checkers.interface import CheckerInterface
8from suricata_check.utils.checker import (
9 is_rule_option_set,
10 is_rule_suboption_set,
11)
12from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
13
14
[docs]
15class UnexpectedChecker(CheckerInterface):
16 """The `UnexpectedChecker` contains several checks for unexpected Suricata behavior that users may not anticipate.
17
18 Codes C000-C010 report on unexpected behavior.
19 """
20
21 codes = {
22 "C000": {"severity": logging.WARNING},
23 }
24
25 def _check_rule(
26 self: "UnexpectedChecker",
27 rule: idstools.rule.Rule,
28 ) -> ISSUES_TYPE:
29 issues: ISSUES_TYPE = []
30
31 if (
32 is_rule_suboption_set(rule, "flowbits", "set")
33 or is_rule_suboption_set(rule, "xbits", "set")
34 ) and (is_rule_option_set(rule, "threshold")):
35 issues.append(
36 Issue(
37 code="C000",
38 message="""\
39The rule uses the Suricata threshold option in combination with the setting of flowbits or xbits.
40Note that the flowbit or xbit will be set on every match regardless of whether the threshold is reached.
41Consider removing the `threshold` option from the rule to prevent confusion.\
42""",
43 ),
44 )
45
46 return issues