Source code for suricata_check.checkers.styleguide._performance

 1"""`PerformanceChecker`."""
 2
 3import logging
 4from types import MappingProxyType
 5
 6from suricata_check.checkers.interface import CheckerInterface
 7from suricata_check.utils.checker import (
 8    get_rule_keyword_sequences,
 9    is_rule_option_set,
10)
11from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
12from suricata_check.utils.regex import (
13    BASE64_BUFFER_KEYWORDS,
14    BASE64_TRANSFORMATION_KEYWORDS,
15)
16from suricata_check.utils.rule import Rule
17
18


[docs]
19class PerformanceChecker(CheckerInterface):
20    """The `PerformanceChecker` contains several checks for Suricata performance issues.
21
22    Codes S900-910 report on usage of options that can slow the detection engine.
23    """
24
25    codes = MappingProxyType(
26        {
27            "S900": {"severity": logging.INFO},
28            "S901": {"severity": logging.INFO},
29            "S902": {"severity": logging.INFO},
30            "S903": {"severity": logging.INFO},
31        },
32    )
33
34    def _check_rule(
35        self: "PerformanceChecker",
36        rule: Rule,
37    ) -> ISSUES_TYPE:
38        issues: ISSUES_TYPE = []
39
40        if is_rule_option_set(rule, "http.response_body"):
41            issues.append(
42                Issue(
43                    code="S900",
44                    message="""\
45The rule uses the `http.response_body` option, which is known to be slow in Suricata 5.
46Consider specifying the `file.data` option instead.\
47""",
48                ),
49            )
50
51        for option in BASE64_BUFFER_KEYWORDS + BASE64_TRANSFORMATION_KEYWORDS:
52            if is_rule_option_set(rule, option):
53                issues.append(
54                    Issue(
55                        code="S901",
56                        message="""\
57The rule uses a `base64_` keyword, which is known to be slow.
58Consider detection methods avoiding the usage of `base64_` keywords to improve runtime performance.\
59""",
60                    ),
61                )
62
63        for sequence in get_rule_keyword_sequences(rule):
64            if "http.uri" in sequence and "bsize" in sequence:
65                issues.append(
66                    Issue(
67                        code="S902",
68                        message="""\
69The rule uses the `bsize` keyword on the `http.uri` buffer, which is known to be slow.
70Consider using the `urilen` option instead to improve runtime performance.\
71""",
72                    ),
73                )
74
75        return issues