suricata_check.utils.checker
The suricata_check.utils.checker module contains several utilities for developing rule checkers.
Functions
|
Checks whether rule options are placed before one or more other options. |
|
Checks whether a rule has certain options set to match a certain regex. |
|
Checks whether rule options are placed before one or more other options. |
|
Checks whether all rule options and metadata options are recognized. |
|
Counts how often an option is set in a rule. |
|
Returns a list of variable groups such as $HTTP_SERVERS in a rule. |
Returns a sequence of sequences of detection options in a rule. |
|
|
Retrieves one option of a rule with a certain name. |
|
Finds the position of an option in the rule body. |
|
Finds the positions of an option in the rule body. |
|
Retrieves all options of a rule with a certain name. |
|
Finds the positions of several options in the rule body. |
|
Returns a list of tuples containing the name of a sticky buffer, and the modifier alternative. |
|
Returns a suboption within an option is set. |
|
Returns a list of suboptions set in a rule. |
|
Checks whether a rule has a certain option set to match a certain regex. |
|
Checks whether a rule option is placed before one or more other options. |
|
Checks whether a rule has a certain option set to a certain value. |
|
Checks whether a rule has a certain option set to match a certain regex. |
|
Checks if a rule option is positioned at the beginning of the body. |
|
Checks if a rule option is positioned at the end of the body. |
|
Checks whether a rule has a certain option set to a one of certain values. |
|
Checks whether a rule option is placed before one or more other options. |
|
Checks whether a rule has a certain option set. |
|
Checks whether a rule has a certain option set to match a certain regex. |
|
Checks whether a rule has a certain suboption set to a certain value. |
|
Checks whether a rule has a certain option set to match a certain regex. |
|
Checks if a suboption within an option is set. |
Selects rule options present in rule matching a regular expression. |
Module Contents
- suricata_check.utils.checker.are_rule_options_always_put_before(rule: idstools.rule.Rule, names: collections.abc.Iterable[str], other_names: collections.abc.Sequence[str], sequence: collections.abc.Iterable[str] | None = None) bool | None[source]
Checks whether rule options are placed before one or more other options.
- suricata_check.utils.checker.are_rule_options_equal_to_regex(rule: idstools.rule.Rule, names: collections.abc.Iterable[str], regex) bool[source]
Checks whether a rule has certain options set to match a certain regex.
If multiple options are set, it will return True if atleast one option matches the regex.
- Args:
rule (idstools.rule.Rule): rule to be inspected names (Iterable[str]): names of the options regex (Union[re.Pattern, regex.Pattern]): regex to check for
- Returns:
bool: True iff the rule has atleast one option matching the regex
- suricata_check.utils.checker.are_rule_options_put_before(rule: idstools.rule.Rule, names: collections.abc.Sequence[str] | set[str], other_names: collections.abc.Sequence[str] | set[str], sequence: collections.abc.Iterable[str] | None = None) bool | None[source]
Checks whether rule options are placed before one or more other options.
- suricata_check.utils.checker.check_rule_option_recognition(rule: idstools.rule.Rule) None[source]
Checks whether all rule options and metadata options are recognized.
Unrecognized options will be logged as a warning in suricata-check.log
- suricata_check.utils.checker.count_rule_options(rule: idstools.rule.Rule, name: str | collections.abc.Iterable[str]) int[source]
Counts how often an option is set in a rule.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (Union[str, Iterable[str]]): name or names of the option
- Returns:
int: The number of times an option is set
- suricata_check.utils.checker.get_all_variable_groups(rule: idstools.rule.Rule) list[str][source]
Returns a list of variable groups such as $HTTP_SERVERS in a rule.
- suricata_check.utils.checker.get_rule_keyword_sequences(rule: idstools.rule.Rule, seperator_keywords: collections.abc.Iterable[str] = BUFFER_KEYWORDS, included_keywords: collections.abc.Iterable[str] = ALL_DETECTION_KEYWORDS) collections.abc.Sequence[tuple[str, Ellipsis]][source]
Returns a sequence of sequences of detection options in a rule.
- suricata_check.utils.checker.get_rule_option(rule: idstools.rule.Rule, name: str) str | None[source]
Retrieves one option of a rule with a certain name.
If an option is set multiple times, it returns only one indeterminately.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (str): name of the option
- Returns:
Optional[str]: The value of the option or None if it was not set.
- suricata_check.utils.checker.get_rule_option_position(rule: idstools.rule.Rule, name: str) int | None[source]
Finds the position of an option in the rule body.
Return None if the option is not set or set multiple times.
- suricata_check.utils.checker.get_rule_option_positions(rule: idstools.rule.Rule, name: str, sequence: tuple[str, Ellipsis] | None = None) collections.abc.Sequence[int][source]
Finds the positions of an option in the rule body.
Optionally takes a sequence of options to use instead of rule[‘options’].
- suricata_check.utils.checker.get_rule_options(rule: idstools.rule.Rule, name: str | collections.abc.Iterable[str]) collections.abc.Sequence[str | None][source]
Retrieves all options of a rule with a certain name.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (Union[str, Iterable[str]]): name or names of the option
- Returns:
Sequence[str]: The values of the option.
- suricata_check.utils.checker.get_rule_options_positions(rule: idstools.rule.Rule, names: collections.abc.Iterable[str], sequence: collections.abc.Iterable[str] | None = None) collections.abc.Iterable[int][source]
Finds the positions of several options in the rule body.
- suricata_check.utils.checker.get_rule_sticky_buffer_naming(rule: idstools.rule.Rule) list[tuple[str, str]][source]
Returns a list of tuples containing the name of a sticky buffer, and the modifier alternative.
- suricata_check.utils.checker.get_rule_suboption(rule: idstools.rule.Rule, name: str, sub_name: str) str | None[source]
Returns a suboption within an option is set.
- suricata_check.utils.checker.get_rule_suboptions(rule: idstools.rule.Rule, name: str, warn: bool = True) collections.abc.Sequence[tuple[str, str | None]][source]
Returns a list of suboptions set in a rule.
- suricata_check.utils.checker.is_rule_option_always_equal_to_regex(rule: idstools.rule.Rule, name: str, regex) bool | None[source]
Checks whether a rule has a certain option set to match a certain regex.
If the option is set multiple times, it will return True if all options match the regex. Returns none if the rule option is not set.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (str): name of the option regex (Union[re.Pattern, regex.Pattern]): regex to check for
- Returns:
bool: True iff the rule has all options matching the regex
- suricata_check.utils.checker.is_rule_option_always_put_before(rule: idstools.rule.Rule, name: str, other_names: collections.abc.Sequence[str] | set[str], sequence: collections.abc.Iterable[str] | None = None) bool | None[source]
Checks whether a rule option is placed before one or more other options.
- suricata_check.utils.checker.is_rule_option_equal_to(rule: idstools.rule.Rule, name: str, value: str) bool[source]
Checks whether a rule has a certain option set to a certain value.
If the option is set multiple times, it will return True if atleast one option matches the value.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (str): name of the option value (str): value to check for
- Returns:
bool: True iff the rule has the option set to the value atleast once
- suricata_check.utils.checker.is_rule_option_equal_to_regex(rule: idstools.rule.Rule, name: str, regex) bool[source]
Checks whether a rule has a certain option set to match a certain regex.
If the option is set multiple times, it will return True if atleast one option matches the regex.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (str): name of the option regex (Union[re.Pattern, regex.Pattern]): regex to check for
- Returns:
bool: True iff the rule has atleast one option matching the regex
- suricata_check.utils.checker.is_rule_option_first(rule: idstools.rule.Rule, name: str) int | None[source]
Checks if a rule option is positioned at the beginning of the body.
- suricata_check.utils.checker.is_rule_option_last(rule: idstools.rule.Rule, name: str) bool | None[source]
Checks if a rule option is positioned at the end of the body.
- suricata_check.utils.checker.is_rule_option_one_of(rule: idstools.rule.Rule, name: str, possible_values: collections.abc.Sequence[str] | set[str]) bool[source]
Checks whether a rule has a certain option set to a one of certain values.
If the option is set multiple times, it will return True if atleast one option matches a value.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (str): name of the option possible_values (Iterable[str]): values to check for
- Returns:
bool: True iff the rule has the option set to one of the values atleast once
- suricata_check.utils.checker.is_rule_option_put_before(rule: idstools.rule.Rule, name: str, other_names: collections.abc.Sequence[str] | set[str], sequence: collections.abc.Iterable[str] | None = None) bool | None[source]
Checks whether a rule option is placed before one or more other options.
- suricata_check.utils.checker.is_rule_option_set(rule: idstools.rule.Rule, name: str) bool[source]
Checks whether a rule has a certain option set.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (str): name of the option
- Returns:
bool: True iff the option is set atleast once
- suricata_check.utils.checker.is_rule_suboption_always_equal_to_regex(rule: idstools.rule.Rule, name: str, sub_name: str, regex) bool | None[source]
Checks whether a rule has a certain option set to match a certain regex.
If the option is set multiple times, it will return True if all options match the regex. Returns none if the rule option is not set.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (str): name of the option sub_name (str): name of the suboption regex (Union[re.Pattern, regex.Pattern]): regex to check for
- Returns:
bool: True iff the rule has all options matching the regex
- suricata_check.utils.checker.is_rule_suboption_equal_to(rule: idstools.rule.Rule, name: str, sub_name: str, value: str) bool[source]
Checks whether a rule has a certain suboption set to a certain value.
If the suboption is set multiple times, it will return True if atleast one option matches the value.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (str): name of the option sub_name (str): name of the suboption value (str): value to check for
- Returns:
bool: True iff the rule has the option set to the value atleast once
- suricata_check.utils.checker.is_rule_suboption_equal_to_regex(rule: idstools.rule.Rule, name: str, sub_name: str, regex) bool[source]
Checks whether a rule has a certain option set to match a certain regex.
If the option is set multiple times, it will return True if atleast one option matches the regex.
- Args:
rule (idstools.rule.Rule): rule to be inspected name (str): name of the option sub_name (str): name of the suboption regex (Union[re.Pattern, regex.Pattern]): regex to check for
- Returns:
bool: True iff the rule has atleast one option matching the regex
- suricata_check.utils.checker.is_rule_suboption_set(rule: idstools.rule.Rule, name: str, sub_name: str) bool[source]
Checks if a suboption within an option is set.
- suricata_check.utils.checker.select_rule_options_by_regex(rule: idstools.rule.Rule, regex) collections.abc.Iterable[str][source]
Selects rule options present in rule matching a regular expression.