1"""`ReferenceChecker`."""
2
3import logging
4
5import idstools.rule
6
7from suricata_check.checkers.interface import CheckerInterface
8from suricata_check.utils.checker import (
9 is_rule_option_equal_to_regex,
10)
11from suricata_check.utils.checker_typing import ISSUES_TYPE, Issue
12from suricata_check.utils.regex import get_regex_provider
13
14_regex_provider = get_regex_provider()
15
16_S700_REGEX = _regex_provider.compile(
17 r"^(?!url).*[A-Z]+.*$",
18)
19_S701_REGEX = _regex_provider.compile(
20 r"^url,\s*https?.*$",
21 _regex_provider.IGNORECASE,
22)
23
24
[docs]
25class ReferenceChecker(CheckerInterface):
26 """The `ReferenceChecker` contains several checks for Suricata reference option.
27
28 Codes S700-710 report on non-standard usages of `reference`
29 """
30
31 codes = {
32 "S700": {"severity": logging.INFO},
33 "S701": {"severity": logging.INFO},
34 }
35
36 def _check_rule(
37 self: "ReferenceChecker",
38 rule: idstools.rule.Rule,
39 ) -> ISSUES_TYPE:
40 issues: ISSUES_TYPE = []
41
42 if is_rule_option_equal_to_regex(rule, "reference", _S700_REGEX):
43 issues.append(
44 Issue(
45 code="S700",
46 message="""\
47The rule uses uppercase characters in the `reference` option.
48Consider using only lowercase characters.\
49""",
50 ),
51 )
52
53 if is_rule_option_equal_to_regex(rule, "reference", _S701_REGEX):
54 issues.append(
55 Issue(
56 code="S701",
57 message="""\
58The rule specifies the web protocol in the `reference` option.
59Consider removing the protocol.\
60""",
61 ),
62 )
63
64 return issues