Suricata Check
suricata-check is a command line utility to provide feedback on Suricata rules.
The tool can detect various issues including those covering syntax validity, interpretability, rule specificity, rule coverage, and efficiency.
Features
suricata-check, offers the following features:
- Static analysis without Suricata installation for any operating system
- Detect using isssues pertaining to:
-
- Missing mandatory options
-
- Deviations from Suricata Style Guide best practices
-
-
- Missing/non-standard metadata fields, performance issues and more
-
- Lack of rule coverage and specificity
- Easily extendable with custom checkers
For a complete overview, check out the documentation.
Configuration
You can pass argument to the suricata-check CLI using the suricata-check.args configuration option in VS Code.
For example, adding "suricata-check.args": ["--issue-severity=WARNING"] will only show issues with severity WARNING or greater.
It is also possible to enable or disable individual or groups of codes using the --include and --exclude options, which also accept regular expressions.
For example, the following configuration will include all issues concerning mandatory Suricata options and all issues based on the Suricata Style Guide, except S800 which prescribes attack_target as a mandatory metadata option:
"suricata-check.args": [
"--include=M.*",
"--include=S.*",
"--exclude=S800",
]
For optimal performance, we suggest setting suricata-check.importStrategy to fromEnvironment and installing suricata-check with regex into your environment using pip install -U suricata-check[performance].
Alterative distributions
Suricata check is also available as a command line tool, which even offers integration with CI/CD pipelines.
When installed as a PyPI Python package you can also make use of the API exposed by the module.
Notes
This repository only hosts the VS Code Extension. You can find the main repository here.
You can find the release version of this extension on the Visual Studio Marketplace.
