suricata_check.checkers.principle

The suricata_check.checkers.principle modules contains several checkers based on the Ruling the Unruly paper.

Reference: TODO

Submodules

• suricata_check.checkers.principle.ml
• suricata_check.checkers.principle.principle

Classes

PrincipleChecker	The PrincipleChecker contains several checks based on the Ruling the Unruly paper and target specificity and coverage.
PrincipleMLChecker	Dummy class to prevent runtime errors on import.

Package Contents

class suricata_check.checkers.principle.PrincipleChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.checker.CheckerInterface

The PrincipleChecker contains several checks based on the Ruling the Unruly paper and target specificity and coverage.

Codes P000-P009 report on non-adherence to rule design principles.

Specifically, the PrincipleChecker checks for the following:

P000: No Limited Proxy, the rule does not detect a characteristic that relates directly to a malicious action, making it potentially noisy.

P001: No Successful Malicious Action, the rule does not distinguish between successful and unsuccessful malicious actions, making it potentially noisy.

P002: No Alert Throttling, the rule does not utilize the threshold limit option` to prevent alert flooding, making it potentially noisy.

P003: No Exceptions, the rule does not include any exceptions for commom benign traffic, making it potentially noisy.

P004: No Generalized Characteristic, the rule does detect a characteristic that is so specific that it is unlikely generalize.

P005: No Generalized Position, the rule does detect the characteristic in a fixed position that and is unlikely to generalize as a result.

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.principle.PrincipleMLChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.dummy.DummyChecker

Dummy class to prevent runtime errors on import.

Log an error due to failed imports for the checker.