1"""`PcreChecker`."""
2
3import logging
4
5import idstools.rule
6
7from suricata_check.checkers.interface import CheckerInterface
8from suricata_check.utils.checker import (
9 is_rule_option_equal_to_regex,
10 is_rule_option_set,
11)
12from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
13from suricata_check.utils.regex import get_regex_provider
14
15_regex_provider = get_regex_provider()
16
17_S601_REGEX = _regex_provider.compile(
18 r"^.*(\.\*).*$",
19 _regex_provider.IGNORECASE,
20)
21
22
[docs]
23class PcreChecker(CheckerInterface):
24 """The `PcreChecker` contains several checks for Suricata PCRE options.
25
26 Codes S600-610 report on unrecommended usages of `pcre`
27 """
28
29 codes = {"S600": {"severity": logging.INFO}, "S601": {"severity": logging.INFO}}
30
31 def _check_rule(
32 self: "PcreChecker",
33 rule: idstools.rule.Rule,
34 ) -> ISSUES_TYPE:
35 issues: ISSUES_TYPE = []
36
37 if is_rule_option_set(rule, "pcre") and not is_rule_option_set(rule, "content"):
38 issues.append(
39 Issue(
40 code="S600",
41 message="""\
42The rule uses the `pcre` option but has no `content` option set.
43Consider using the content option atleast once to anchor and improve runtime performance.\
44""",
45 ),
46 )
47
48 if is_rule_option_set(rule, "pcre") and is_rule_option_equal_to_regex(
49 rule, "pcre", _S601_REGEX
50 ):
51 issues.append(
52 Issue(
53 code="S601",
54 message="""\
55The rule uses the `pcre` with an unlimited inspection depth.
56Consider limiting the inspection depth to improve runtime performance.\
57""",
58 ),
59 )
60
61 return issues