suricata_check.checkers.styleguide

The suricata_check.checkers.styleguide modules contains several checkers based on the Suricata Style Guide.

Reference: https://github.com/sidallocation/suricata-style-guide

Submodules

• suricata_check.checkers.styleguide.metadata
• suricata_check.checkers.styleguide.msg
• suricata_check.checkers.styleguide.order
• suricata_check.checkers.styleguide.overall
• suricata_check.checkers.styleguide.pcre
• suricata_check.checkers.styleguide.performance
• suricata_check.checkers.styleguide.reference
• suricata_check.checkers.styleguide.sid
• suricata_check.checkers.styleguide.state
• suricata_check.checkers.styleguide.whitespace

Classes

MetadataChecker	The MetadataChecker contains several checks for Suricata metadata options.
MsgChecker	The MsgChecker contains several checks based for the Msg option in Suricata rules.
OrderChecker	The OrderChecker contains several checks on the ordering Suricata options.
OverallChecker	The OverallChecker contains several the most basic checks for Suricata rules.
PcreChecker	The PcreChecker contains several checks for Suricata PCRE options.
PerformanceChecker	The PerformanceChecker contains several checks for Suricata performance issues.
ReferenceChecker	The ReferenceChecker contains several checks for Suricata reference option.
SidChecker	The SidChecker contains several checks based on the Suricata SID allocation.
StateChecker	The StateChecker contains several checks for Suricata options relating to the connection or detection state.
WhitespaceChecker	The WhitespaceChecker contains several checks based on the Suricata Style guide relating to formatting rules.

Package Contents

class suricata_check.checkers.styleguide.MetadataChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The MetadataChecker contains several checks for Suricata metadata options.

Codes S800-810 report on missing common metadata fields

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.styleguide.MsgChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The MsgChecker contains several checks based for the Msg option in Suricata rules.

Codes S400-S410 report on non-standard msg fields.

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.styleguide.OrderChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The OrderChecker contains several checks on the ordering Suricata options.

Note that the correct ordering of detection options is as follows:

1. Buffer

2. Size

3. Transformation

4. Coontent

5. Pointer movement

6. Fast pattern

7. Nocase

8. Other payload options

Codes S200-S209 report on the non-standard ordering of common options.

Codes S210-S219 report on the non-standard ordering of content matches.

Codes S220-S229 report on the non-standard ordering of flow options.

Codes S230-S239 report on the non-standard ordering of detection options.

Codes S240-S249 report on the non-standard ordering of threshold options.

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.styleguide.OverallChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The OverallChecker contains several the most basic checks for Suricata rules.

Codes S000-S009 report on issues with the direction of the rule.

Codes S010-S019 report on issues pertaining to the usage of non-standard options.

Codes S020-S029 report on issues pertaining to the non-usage of recommended options.

Codes S020-S029 report on issues pertaining to the non-usage of recommended options.

Codes S031-S039 report on issues pertaining to the inappropriate usage of options.

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.styleguide.PcreChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The PcreChecker contains several checks for Suricata PCRE options.

Codes S600-610 report on unrecommended usages of pcre

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.styleguide.PerformanceChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The PerformanceChecker contains several checks for Suricata performance issues.

Codes S900-910 report on usage of options that can slow the detection engine.

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.styleguide.ReferenceChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The ReferenceChecker contains several checks for Suricata reference option.

Codes S700-710 report on non-standard usages of reference

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.styleguide.SidChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The SidChecker contains several checks based on the Suricata SID allocation.

Specifically, the SidChecker checks for the following:

S300: Allocation to reserved SID range, whereas no range is reserved for the rule.

S301: Allocation to unallocated SID range, whereas local range should be used.

S302: Allocation to wrong reserved SID range, whereas another reserved range should be used.

S303: Allocation to unallocated SID range, whereas a reserved range should be used.

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.styleguide.StateChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The StateChecker contains several checks for Suricata options relating to the connection or detection state.

Codes S500-S510 report on non-standard usages of flow Codes S510-S520 report on non-standard usages of flowbits Codes S520-S530 report on non-standard usages of xbits

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module

class suricata_check.checkers.styleguide.WhitespaceChecker(include: collections.abc.Iterable[str] | None = None)

Bases: suricata_check.checkers.interface.CheckerInterface

The WhitespaceChecker contains several checks based on the Suricata Style guide relating to formatting rules.

Codes S100-S109 report on unneccessary whitespace that should be removed.

Codes S110-S119 report on missing whitespace that should be added.

Codes S120-S129 report on non-standard escaping of special characters.

Initializes the checker given a list of issue codes to emit.

codes

A Mapping of issue codes emitted by the checker to metadata for those issue types. The metadata is structured in the form of a Mapping from attribute name to attribute value. The one mandatory metadata attribute is severity, which must be one of the levels provided by the logging module