Source code for suricata_check.checkers.styleguide.performance
1"""`PerformanceChecker`."""
2
3import logging
4
5import idstools.rule
6
7from suricata_check.checkers.interface import CheckerInterface
8from suricata_check.utils.checker import (
9 get_rule_keyword_sequences,
10 is_rule_option_set,
11)
12from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
13from suricata_check.utils.regex import (
14 BASE64_BUFFER_KEYWORDS,
15 BASE64_TRANSFORMATION_KEYWORDS,
16)
17
18
[docs]
19class PerformanceChecker(CheckerInterface):
20 """The `PerformanceChecker` contains several checks for Suricata performance issues.
21
22 Codes S900-910 report on usage of options that can slow the detection engine.
23 """
24
25 codes = {
26 "S900": {"severity": logging.INFO},
27 "S901": {"severity": logging.INFO},
28 "S902": {"severity": logging.INFO},
29 "S903": {"severity": logging.INFO},
30 }
31
32 def _check_rule(
33 self: "PerformanceChecker",
34 rule: idstools.rule.Rule,
35 ) -> ISSUES_TYPE:
36 issues: ISSUES_TYPE = []
37
38 if is_rule_option_set(rule, "http.response_body"):
39 issues.append(
40 Issue(
41 code="S900",
42 message="""\
43The rule uses the `http.response_body` option, which is known to be slow in Suricata 5.
44Consider specifying the `file.data` option instead.\
45""",
46 ),
47 )
48
49 for option in BASE64_BUFFER_KEYWORDS + BASE64_TRANSFORMATION_KEYWORDS:
50 if is_rule_option_set(rule, option):
51 issues.append(
52 Issue(
53 code="S901",
54 message="""\
55The rule uses a `base64_` keyword, which is known to be slow.
56Consider detection methods avoiding the usage of `base64_` keywords to improve runtime performance.\
57""",
58 ),
59 )
60
61 for sequence in get_rule_keyword_sequences(rule):
62 if "http.uri" in sequence and "bsize" in sequence:
63 issues.append(
64 Issue(
65 code="S902",
66 message="""\
67The rule uses the `bsize` keyword on the `http.uri` buffer, which is known to be slow.
68Consider using the `urilen` option instead to improve runtime performance.\
69""",
70 ),
71 )
72
73 return issues