Source code for suricata_check.checkers.styleguide.metadata

 1"""`MetadataChecker`."""
 2
 3import logging
 4
 5import idstools.rule
 6
 7from suricata_check.checkers.interface import CheckerInterface
 8from suricata_check.utils.checker import (
 9    is_rule_option_set,
10    is_rule_suboption_set,
11)
12from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
13
14


[docs]
15class MetadataChecker(CheckerInterface):
16    """The `MetadataChecker` contains several checks for Suricata metadata options.
17
18    Codes S800-810 report on missing common `metadata` fields
19    """
20
21    codes = {
22        "S800": {"severity": logging.INFO},
23        "S801": {"severity": logging.INFO},
24        "S802": {"severity": logging.INFO},
25        "S803": {"severity": logging.INFO},
26    }
27
28    def _check_rule(
29        self: "MetadataChecker",
30        rule: idstools.rule.Rule,
31    ) -> ISSUES_TYPE:
32        issues: ISSUES_TYPE = []
33
34        if not is_rule_suboption_set(rule, "metadata", "attack_target"):
35            issues.append(
36                Issue(
37                    code="S800",
38                    message="""\
39The rule did not specify the `attack_target` metadata option.
40Consider specifying the `attack_target` metadata option to help analysts interpret alerts raised by this rule.\
41""",
42                ),
43            )
44
45        if not is_rule_suboption_set(rule, "metadata", "signature_severity") and not (
46            is_rule_option_set(rule, "noalert")
47            or is_rule_suboption_set(rule, "flowbits", "noalert")
48        ):
49            issues.append(
50                Issue(
51                    code="S801",
52                    message="""\
53The rule did not specify the `signature_severity` metadata option.
54Consider specifying the `signature_severity` metadata option to help analysts interpret alerts raised by this rule.\
55""",
56                ),
57            )
58
59        if not is_rule_suboption_set(rule, "metadata", "performance_impact"):
60            issues.append(
61                Issue(
62                    code="S802",
63                    message="""\
64The rule did not specify the `performance_impact` metadata option.
65Consider specifying the `performance_impact` metadata option to help SOCs determine when to enable this rule.\
66""",
67                ),
68            )
69
70        if not is_rule_suboption_set(rule, "metadata", "deployment"):
71            issues.append(
72                Issue(
73                    code="S803",
74                    message="""\
75The rule did not specify the `deployment` metadata option. \
76Consider specifying the `deployment` metadata option to help SOCs determine when to enable this rule.\
77""",
78                ),
79            )
80
81        return issues