suricata_check.utils.regex
The suricata_check.utils.regex module contains regular expressions for matching various parts of rules.
Attributes
Functions
|
Returns a regular expression that can match any of the provided options. |
|
Returns the body of a rule. |
|
Returns a list of entries in a group. |
|
Returns a list of variable groups such as $HTTP_SERVERS in a variable. |
|
Checks if a rule is valid. |
Module Contents
- suricata_check.utils.regex.get_options_regex(options: collections.abc.Iterable[str]) suricata_check.utils.regex_provider.Pattern[source]
Returns a regular expression that can match any of the provided options.
- suricata_check.utils.regex.get_rule_body(rule: suricata_check.utils.rule.Rule) str[source]
Returns the body of a rule.
- suricata_check.utils.regex.get_rule_group_entries(group: str) collections.abc.Sequence[str][source]
Returns a list of entries in a group.
- suricata_check.utils.regex.get_variable_groups(value: str) collections.abc.Sequence[str][source]
Returns a list of variable groups such as $HTTP_SERVERS in a variable.
- suricata_check.utils.regex.is_valid_rule(rule: suricata_check.utils.rule.Rule) bool[source]
Checks if a rule is valid.
- suricata_check.utils.regex.ADDRESS_GROUPS = ('HOME_NET', 'EXTERNAL_NET', 'HTTP_SERVERS', 'SMTP_SERVERS', 'SQL_SERVERS', 'DNS_SERVERS',...
- suricata_check.utils.regex.ALL_DETECTION_KEYWORDS: collections.abc.Sequence[str]
- suricata_check.utils.regex.ALL_KEYWORDS
- suricata_check.utils.regex.ALL_METADATA_KEYWORDS
- suricata_check.utils.regex.ALL_MODIFIER_KEYWORDS: collections.abc.Sequence[str]
- suricata_check.utils.regex.ALL_TRANSFORMATION_KEYWORDS: collections.abc.Sequence[str]
- suricata_check.utils.regex.ALL_VARIABLES = ('HOME_NET', 'EXTERNAL_NET', 'HTTP_SERVERS', 'SMTP_SERVERS', 'SQL_SERVERS', 'DNS_SERVERS',...
- suricata_check.utils.regex.APP_LAYER_KEYWORDS = ('app-layer-event', 'app-layer-protocol')
- suricata_check.utils.regex.BASE64_BUFFER_KEYWORDS = ('base64_data',)
- suricata_check.utils.regex.BASE64_TRANSFORMATION_KEYWORDS = ('base64_decode',)
- suricata_check.utils.regex.BUFFER_KEYWORDS: collections.abc.Sequence[str]
- suricata_check.utils.regex.CLASSTYPES = ('not-suspicious', 'unknown', 'bad-unknown', 'attempted-recon', 'successful-recon-limited',...
- suricata_check.utils.regex.COMPATIBILITY_MODIFIER_KEYWORDS = ('rawbytes',)
- suricata_check.utils.regex.CONTENT_KEYWORDS = ('content', 'pcre')
- suricata_check.utils.regex.DCERPC_SPECIFIC_KEYWORDS = ('dce.iface', 'dce.opnum', 'dce.stub_data', 'dce_iface', 'dce_opnum', 'dce_stub_data')
- suricata_check.utils.regex.DNS_SPECIFIC_KEYWORDS = ('dns.opcode', 'dns.query', 'dns_query')
- suricata_check.utils.regex.FLOW_KEYWORDS = ('flow', 'flow.age', 'flowint')
- suricata_check.utils.regex.FLOW_STREAM_KEYWORDS: collections.abc.Sequence[str]
- suricata_check.utils.regex.FTP_KEYWORDS = ('ftpbounce', 'ftpdata_command')
- suricata_check.utils.regex.HEADER_REGEX
- suricata_check.utils.regex.HTTP_SPECIFIC_KEYWORDS = ('file.data', 'file_data', 'http.accept', 'http.accept_enc', 'http.accept_lang',...
- suricata_check.utils.regex.ICMP_SPECIFIC_KEYWORDS = ('fragbits', 'icode', 'icmp_id', 'icmp_seq', 'itype')
- suricata_check.utils.regex.IP_ADDRESS_REGEX
- suricata_check.utils.regex.IP_SPECIFIC_KEYWORDS = ('ip_proto', 'ttl')
- suricata_check.utils.regex.JA3_JA4_KEYWORDS = ('ja3.hash', 'ja3_hash', 'ja3.string', 'ja3s.hash')
- suricata_check.utils.regex.LRU_CACHE_SIZE = 10
- suricata_check.utils.regex.LUA_KEYWORDS = ('lua', 'luajit')
- suricata_check.utils.regex.MATCH_LOCATION_KEYWORDS = ('endswith', 'startswith')
- suricata_check.utils.regex.METADATA_DATE_KEYWORDS = ('created_at', 'reviewed_at', 'updated_at')
- suricata_check.utils.regex.METADATA_NON_DATE_KEYWORDS = ('affected_product', 'attack_target', 'confidence', 'cve', 'deprecation_reason', 'deployment',...
- suricata_check.utils.regex.MODIFIER_KEYWORDS = ('nocase',)
- suricata_check.utils.regex.NON_FUNCTIONAL_KEYWORDS = ('classtype', 'gid', 'metadata', 'msg', 'priority', 'reference', 'rev', 'sid', 'target')
- suricata_check.utils.regex.OTHER_BUFFERS = ('http.location', 'http.request_header', 'http.response_header', 'http.server', 'ja3s.hash',...
- suricata_check.utils.regex.OTHER_KEYWORDS = ('noalert', 'tag')
- suricata_check.utils.regex.OTHER_PAYLOAD_KEYWORDS = ('byte_extract', 'byte_jump', 'byte_test', 'isdataat')
- suricata_check.utils.regex.PERFORMANCE_DETECTION_OPTIONS = ('fast_pattern',)
- suricata_check.utils.regex.POINTER_MOVEMENT_KEYWORDS = ('depth', 'distance', 'offset', 'pkt_data', 'within')
- suricata_check.utils.regex.PORT_GROUPS = ('HTTP_PORTS', 'SHELLCODE_PORTS', 'ORACLE_PORTS', 'SSH_PORTS', 'DNP3_PORTS', 'MODBUS_PORTS',...
- suricata_check.utils.regex.PROTOCOL_SPECIFIC_KEYWORDS
- suricata_check.utils.regex.SIZE_KEYWORDS = ('bsize', 'dsize')
- suricata_check.utils.regex.SSH_SPECIFIC_KEYWORDS = ('ssh_proto',)
- suricata_check.utils.regex.STATEFUL_KEYWORDS = ('flowbits', 'flowint', 'xbits')
- suricata_check.utils.regex.STICKY_BUFFER_NAMING
- suricata_check.utils.regex.STREAM_KEYWORDS = ('stream_size',)
- suricata_check.utils.regex.TCP_SPECIFIC_KEYWORDS = ('ack', 'flags', 'seq', 'tcp.flags', 'tcp.hdr')
- suricata_check.utils.regex.THRESHOLD_KEYWORDS = ('detection_filter', 'threshold')
- suricata_check.utils.regex.TLS_SPECIFIC_KEYWORDS = ('ssl_version', 'ssl_state', 'tls.cert_fingerprint', 'tls.cert_issuer', 'tls.cert_serial',...
- suricata_check.utils.regex.TRANSFORMATION_KEYWORDS = ('compress_whitespace', 'dotprefix', 'header_lowercase', 'pcrexform', 'strip_pseudo_headers',...
- suricata_check.utils.regex.UDP_SPECIFIC_KEYWORDS = ('udp.hdr',)