1"""`PcreChecker`."""
2
3import logging
4from types import MappingProxyType
5
6from suricata_check.checkers.interface import CheckerInterface
7from suricata_check.utils.checker import (
8 is_rule_option_equal_to_regex,
9 is_rule_option_set,
10)
11from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
12from suricata_check.utils.regex_provider import get_regex_provider
13from suricata_check.utils.rule import Rule
14
15_regex_provider = get_regex_provider()
16
17_S601_REGEX = _regex_provider.compile(
18 r"^.*(\.\*).*$",
19 _regex_provider.IGNORECASE,
20)
21
22
[docs]
23class PcreChecker(CheckerInterface):
24 """The `PcreChecker` contains several checks for Suricata PCRE options.
25
26 Codes S600-610 report on unrecommended usages of `pcre`
27 """
28
29 codes = MappingProxyType(
30 {"S600": {"severity": logging.INFO}, "S601": {"severity": logging.INFO}},
31 )
32
33 def _check_rule(
34 self: "PcreChecker",
35 rule: Rule,
36 ) -> ISSUES_TYPE:
37 issues: ISSUES_TYPE = []
38
39 if is_rule_option_set(rule, "pcre") and not is_rule_option_set(rule, "content"):
40 issues.append(
41 Issue(
42 code="S600",
43 message="""\
44The rule uses the `pcre` option but has no `content` option set.
45Consider using the content option atleast once to anchor and improve runtime performance.\
46""",
47 ),
48 )
49
50 if is_rule_option_set(rule, "pcre") and is_rule_option_equal_to_regex(
51 rule,
52 "pcre",
53 _S601_REGEX,
54 ):
55 issues.append(
56 Issue(
57 code="S601",
58 message="""\
59The rule uses the `pcre` with an unlimited inspection depth.
60Consider limiting the inspection depth to improve runtime performance.\
61""",
62 ),
63 )
64
65 return issues