suricata_check.checkers ======================= .. py:module:: suricata_check.checkers .. autoapi-nested-parse:: The `suricata_check.checkers` module contains all rule checkers. Submodules ---------- .. toctree:: :maxdepth: 1 /autoapi/suricata_check/checkers/community/index /autoapi/suricata_check/checkers/interface/index /autoapi/suricata_check/checkers/mandatory/index /autoapi/suricata_check/checkers/principle/index /autoapi/suricata_check/checkers/styleguide/index Classes ------- .. autoapisummary:: suricata_check.checkers.BestChecker suricata_check.checkers.MandatoryChecker suricata_check.checkers.MetadataChecker suricata_check.checkers.MsgChecker suricata_check.checkers.OrderChecker suricata_check.checkers.OverallChecker suricata_check.checkers.PcreChecker suricata_check.checkers.PerformanceChecker suricata_check.checkers.PrincipleChecker suricata_check.checkers.PrincipleMLChecker suricata_check.checkers.ReferenceChecker suricata_check.checkers.SidChecker suricata_check.checkers.StateChecker suricata_check.checkers.UnexpectedChecker suricata_check.checkers.WhitespaceChecker Package Contents ---------------- .. py:class:: BestChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `BestChecker` contains several checks for best practices to improve the experience of Suricata rules for everyone. Codes C100-C110 report on missing fields that should be set. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: MandatoryChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `MandatoryChecker` contains several checks based on the Suricata syntax that are critical. Codes M000-M009 report on missing mandatory rule options. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: MetadataChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `MetadataChecker` contains several checks for Suricata metadata options. Codes S800-810 report on missing common `metadata` fields Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: MsgChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `MsgChecker` contains several checks based for the Msg option in Suricata rules. Codes S400-S410 report on non-standard `msg` fields. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: OrderChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `OrderChecker` contains several checks on the ordering Suricata options. Note that the correct ordering of detection options is as follows: 1. Buffer 2. Size 3. Transformation 4. Content 5. Pointer movement 6. Fast pattern 7. Nocase 8. Other payload options Codes S200-S209 report on the non-standard ordering of common options. Codes S210-S219 report on the non-standard ordering of content matches. Codes S220-S229 report on the non-standard ordering of flow options. Codes S230-S239 report on the non-standard ordering of detection options. Codes S240-S249 report on the non-standard ordering of threshold options. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: OverallChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `OverallChecker` contains several the most basic checks for Suricata rules. Codes S000-S009 report on issues with the direction of the rule. Codes S010-S019 report on issues pertaining to the usage of non-standard options. Codes S020-S029 report on issues pertaining to the non-usage of recommended options. Codes S020-S029 report on issues pertaining to the non-usage of recommended options. Codes S031-S039 report on issues pertaining to the inappropriate usage of options. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: PcreChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `PcreChecker` contains several checks for Suricata PCRE options. Codes S600-610 report on unrecommended usages of `pcre` Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: PerformanceChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `PerformanceChecker` contains several checks for Suricata performance issues. Codes S900-910 report on usage of options that can slow the detection engine. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: PrincipleChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.checker.CheckerInterface` The `PrincipleChecker` contains several checks based on the Ruling the Unruly paper and target specificity and coverage. Codes P000-P009 report on non-adherence to rule design principles. Specifically, the `PrincipleChecker` checks for the following: P000: No Limited Proxy, the rule does not detect a characteristic that relates directly to a malicious action, making it potentially noisy. P001: No Successful Malicious Action, the rule does not distinguish between successful and unsuccessful malicious actions, making it potentially noisy. P002: No Alert Throttling, the rule does not utilize the threshold limit option` to prevent alert flooding, making it potentially noisy. P003: No Exceptions, the rule does not include any exceptions for commom benign traffic, making it potentially noisy. P004: No Generalized Characteristic, the rule does detect a characteristic that is so specific that it is unlikely generalize. P005: No Generalized Position, the rule does detect the characteristic in a fixed position that and is unlikely to generalize as a result. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: PrincipleMLChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.dummy.DummyChecker` Dummy class to prevent runtime errors on import. Log an error due to failed imports for the checker. .. py:class:: ReferenceChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `ReferenceChecker` contains several checks for Suricata reference option. Codes S700-710 report on non-standard usages of `reference` Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: SidChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `SidChecker` contains several checks based on the Suricata SID allocation. Specifically, the `SidChecker` checks for the following: S300: Allocation to reserved SID range, whereas no range is reserved for the rule. S301: Allocation to unallocated SID range, whereas local range should be used. S302: Allocation to wrong reserved SID range, whereas another reserved range should be used. S303: Allocation to unallocated SID range, whereas a reserved range should be used. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: StateChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `StateChecker` contains several checks for Suricata options relating to the connection or detection state. Codes S500-S510 report on non-standard usages of `flow` Codes S510-S520 report on non-standard usages of `flowbits` Codes S520-S530 report on non-standard usages of `xbits` Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: UnexpectedChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `UnexpectedChecker` contains several checks for unexpected Suricata behavior that users may not anticipate. Codes C000-C010 report on unexpected behavior. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module .. py:class:: WhitespaceChecker(include: Optional[collections.abc.Iterable[str]] = None) Bases: :py:obj:`suricata_check.checkers.interface.CheckerInterface` The `WhitespaceChecker` contains several checks based on the Suricata Style guide relating to formatting rules. Codes S100-S109 report on unneccessary whitespace that should be removed. Codes S110-S119 report on missing whitespace that should be added. Codes S120-S129 report on non-standard escaping of special characters. Initializes the checker given a list of issue codes to emit. .. py:attribute:: codes A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the `logging` module