Source code for suricata_check.checkers.styleguide._metadata

 1"""`MetadataChecker`."""
 2
 3import logging
 4from types import MappingProxyType
 5
 6from suricata_check.checkers.interface import CheckerInterface
 7from suricata_check.utils.checker import (
 8    is_rule_option_set,
 9    is_rule_suboption_set,
10)
11from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
12from suricata_check.utils.rule import Rule
13
14


[docs]
15class MetadataChecker(CheckerInterface):
16    """The `MetadataChecker` contains several checks for Suricata metadata options.
17
18    Codes S800-810 report on missing common `metadata` fields
19    """
20
21    codes = MappingProxyType(
22        {
23            "S800": {"severity": logging.INFO},
24            "S801": {"severity": logging.INFO},
25            "S802": {"severity": logging.INFO},
26            "S803": {"severity": logging.INFO},
27        },
28    )
29
30    def _check_rule(
31        self: "MetadataChecker",
32        rule: Rule,
33    ) -> ISSUES_TYPE:
34        issues: ISSUES_TYPE = []
35
36        if not is_rule_suboption_set(rule, "metadata", "attack_target"):
37            issues.append(
38                Issue(
39                    code="S800",
40                    message="""\
41The rule did not specify the `attack_target` metadata option.
42Consider specifying the `attack_target` metadata option to help analysts interpret alerts raised by this rule.\
43""",
44                ),
45            )
46
47        if not is_rule_suboption_set(rule, "metadata", "signature_severity") and not (
48            is_rule_option_set(rule, "noalert")
49            or is_rule_suboption_set(rule, "flowbits", "noalert")
50        ):
51            issues.append(
52                Issue(
53                    code="S801",
54                    message="""\
55The rule did not specify the `signature_severity` metadata option.
56Consider specifying the `signature_severity` metadata option to help analysts interpret alerts raised by this rule.\
57""",
58                ),
59            )
60
61        if not is_rule_suboption_set(rule, "metadata", "performance_impact"):
62            issues.append(
63                Issue(
64                    code="S802",
65                    message="""\
66The rule did not specify the `performance_impact` metadata option.
67Consider specifying the `performance_impact` metadata option to help SOCs determine when to enable this rule.\
68""",
69                ),
70            )
71
72        if not is_rule_suboption_set(rule, "metadata", "deployment"):
73            issues.append(
74                Issue(
75                    code="S803",
76                    message="""\
77The rule did not specify the `deployment` metadata option. \
78Consider specifying the `deployment` metadata option to help SOCs determine when to enable this rule.\
79""",
80                ),
81            )
82
83        return issues