suricata_check.checkers.principle.principle
PrincipleChecker.
Classes
The PrincipleChecker contains several checks based on the Ruling the Unruly paper and target specificity and coverage. |
Module Contents
- class suricata_check.checkers.principle.principle.PrincipleChecker(include: collections.abc.Iterable[str] | None = None)[source]
Bases:
suricata_check.checkers.interface.checker.CheckerInterfaceThe PrincipleChecker contains several checks based on the Ruling the Unruly paper and target specificity and coverage.
Codes P000-P009 report on non-adherence to rule design principles.
- Specifically, the PrincipleChecker checks for the following:
P000: No Limited Proxy, the rule does not detect a characteristic that relates directly to a malicious action, making it potentially noisy.
P001: No Successful Malicious Action, the rule does not distinguish between successful and unsuccessful malicious actions, making it potentially noisy.
P002: No Alert Throttling, the rule does not utilize the threshold limit option` to prevent alert flooding, making it potentially noisy.
P003: No Exceptions, the rule does not include any exceptions for commom benign traffic, making it potentially noisy.
P004: No Generalized Characteristic, the rule does detect a characteristic that is so specific that it is unlikely generalize.
P005: No Generalized Position, the rule does detect the characteristic in a fixed position that and is unlikely to generalize as a result.
Initializes the checker given a list of issue codes to emit.
- codes
A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module