suricata_check.checkers
The suricata_check.checkers module contains all rule checkers.
Submodules
Classes
The BestChecker contains several checks for best practices to improve the experience of Suricata rules for everyone. |
|
The MandatoryChecker contains several checks based on the Suricata syntax that are critical. |
|
The MetadataChecker contains several checks for Suricata metadata options. |
|
The MsgChecker contains several checks based for the Msg option in Suricata rules. |
|
The OrderChecker contains several checks on the ordering Suricata options. |
|
The OverallChecker contains several the most basic checks for Suricata rules. |
|
The PcreChecker contains several checks for Suricata PCRE options. |
|
The PerformanceChecker contains several checks for Suricata performance issues. |
|
The PrincipleChecker contains several checks based on the Ruling the Unruly paper and target specificity and coverage. |
|
Dummy class to prevent runtime errors on import. |
|
The ReferenceChecker contains several checks for Suricata reference option. |
|
The SidChecker contains several checks based on the Suricata SID allocation. |
|
The StateChecker contains several checks for Suricata options relating to the connection or detection state. |
|
The UnexpectedChecker contains several checks for unexpected Suricata behavior that users may not anticipate. |
|
The WhitespaceChecker contains several checks based on the Suricata Style guide relating to formatting rules. |
Package Contents
- class suricata_check.checkers.BestChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe BestChecker contains several checks for best practices to improve the experience of Suricata rules for everyone.
Codes C100-C110 report on missing fields that should be set.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.MandatoryChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe MandatoryChecker contains several checks based on the Suricata syntax that are critical.
Codes M000-M009 report on missing mandatory rule options.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.MetadataChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe MetadataChecker contains several checks for Suricata metadata options.
Codes S800-810 report on missing common metadata fields
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.MsgChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe MsgChecker contains several checks based for the Msg option in Suricata rules.
Codes S400-S410 report on non-standard msg fields.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.OrderChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe OrderChecker contains several checks on the ordering Suricata options.
- Note that the correct ordering of detection options is as follows:
Buffer
Size
Transformation
Coontent
Pointer movement
Fast pattern
Nocase
Other payload options
Codes S200-S209 report on the non-standard ordering of common options.
Codes S210-S219 report on the non-standard ordering of content matches.
Codes S220-S229 report on the non-standard ordering of flow options.
Codes S230-S239 report on the non-standard ordering of detection options.
Codes S240-S249 report on the non-standard ordering of threshold options.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.OverallChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe OverallChecker contains several the most basic checks for Suricata rules.
Codes S000-S009 report on issues with the direction of the rule.
Codes S010-S019 report on issues pertaining to the usage of non-standard options.
Codes S020-S029 report on issues pertaining to the non-usage of recommended options.
Codes S020-S029 report on issues pertaining to the non-usage of recommended options.
Codes S031-S039 report on issues pertaining to the inappropriate usage of options.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.PcreChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe PcreChecker contains several checks for Suricata PCRE options.
Codes S600-610 report on unrecommended usages of pcre
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.PerformanceChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe PerformanceChecker contains several checks for Suricata performance issues.
Codes S900-910 report on usage of options that can slow the detection engine.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.PrincipleChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.checker.CheckerInterfaceThe PrincipleChecker contains several checks based on the Ruling the Unruly paper and target specificity and coverage.
Codes P000-P009 report on non-adherence to rule design principles.
- Specifically, the PrincipleChecker checks for the following:
P000: No Limited Proxy, the rule does not detect a characteristic that relates directly to a malicious action, making it potentially noisy.
P001: No Successful Malicious Action, the rule does not distinguish between successful and unsuccessful malicious actions, making it potentially noisy.
P002: No Alert Throttling, the rule does not utilize the threshold limit option` to prevent alert flooding, making it potentially noisy.
P003: No Exceptions, the rule does not include any exceptions for commom benign traffic, making it potentially noisy.
P004: No Generalized Characteristic, the rule does detect a characteristic that is so specific that it is unlikely generalize.
P005: No Generalized Position, the rule does detect the characteristic in a fixed position that and is unlikely to generalize as a result.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.PrincipleMLChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.dummy.DummyCheckerDummy class to prevent runtime errors on import.
Log an error due to failed imports for the checker.
- class suricata_check.checkers.ReferenceChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe ReferenceChecker contains several checks for Suricata reference option.
Codes S700-710 report on non-standard usages of reference
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.SidChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe SidChecker contains several checks based on the Suricata SID allocation.
- Specifically, the SidChecker checks for the following:
S300: Allocation to reserved SID range, whereas no range is reserved for the rule.
S301: Allocation to unallocated SID range, whereas local range should be used.
S302: Allocation to wrong reserved SID range, whereas another reserved range should be used.
S303: Allocation to unallocated SID range, whereas a reserved range should be used.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.StateChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe StateChecker contains several checks for Suricata options relating to the connection or detection state.
Codes S500-S510 report on non-standard usages of flow Codes S510-S520 report on non-standard usages of flowbits Codes S520-S530 report on non-standard usages of xbits
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.UnexpectedChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe UnexpectedChecker contains several checks for unexpected Suricata behavior that users may not anticipate.
Codes C000-C010 report on unexpected behavior.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module
- class suricata_check.checkers.WhitespaceChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.CheckerInterfaceThe WhitespaceChecker contains several checks based on the Suricata Style guide relating to formatting rules.
Codes S100-S109 report on unneccessary whitespace that should be removed.
Codes S110-S119 report on missing whitespace that should be added.
Codes S120-S129 report on non-standard escaping of special characters.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module