suricata_check.checkers.principle.ml

PrincipleMLChecker.

Classes

PrincipleMLChecker

The PrincipleChecker contains several checks based on the Ruling the Unruly paper and target specificity and coverage.

Module Contents

class suricata_check.checkers.principle.ml.PrincipleMLChecker(include: collections.abc.Iterable[str] | None = None)[source]

Bases: suricata_check.checkers.interface.checker.CheckerInterface

The PrincipleChecker contains several checks based on the Ruling the Unruly paper and target specificity and coverage.

Codes Q000-Q009 report on non-adherence to rule design principles similar to Q000-Q009. Differently, they are the result of machine learning analysis of the rules.

Initializes the checker given a list of issue codes to emit.

__getnewargs__() → tuple[source]: Returns the arguments to be passed to the __new__ method when unpickling.

train(df: pandas.DataFrame, rule_col: str = 'rule.rule', principle_cols: dict[str, str] = {'Q000': 'labelled.no_proxy', 'Q001': 'labelled.success', 'Q002': 'labelled.thresholded', 'Q003': 'labelled.exceptions', 'Q004': 'labelled.generalized_match_content', 'Q005': 'labelled.generalized_match_location'}, reuse_models: bool = False) → None[source]

Train several models for the checker to detect issues in rules.

The checker class with trained models is stored in a pickle file (_PICKLE_PATH).

codes: A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

enabled_by_default = False: A boolean indicating if the checker is enabled by default when discovered automatically.