suricata-check is a command line utility that performs static analysis on Suricata rules to detect syntax, interpretability, specificity, coverage, and efficiency issues.
suricata-check is a command line utility to provide feedback on Suricata rules. The tool can detect various issues including those covering syntax validity, interpretability, rule specificity, rule coverage, and efficiency.
This tool is primarily used by security analysts and SecOps teams to validate and optimize Suricata IDS/IPS rules before deployment. It helps ensure rule quality and effectiveness by providing detailed feedback without requiring Suricata installation, facilitating rule development and automation in CI/CD pipelines.
suricata-check is a pure Python package, making installation straightforward across platforms. It is designed to work without requiring Suricata to be installed, enabling static analysis in isolated environments. Integrating this tool into CI/CD pipelines can greatly improve rule quality and deployment confidence. Users should ensure rules are correctly formatted and consider enabling all checker codes for comprehensive analysis.
Ensure Python and pip are installed on your system
Run the command: pip install suricata-check[performance]
Verify installation by running suricata-check from the command linesuricata-check
Runs the tool to analyze all .rules files in the current directory and outputs detected issues.
suricata_check.py -r <path_to_rules_file>
Specify a custom Suricata rules file to check.
suricata_check.py -s '<single_rule>'
Check a single Suricata rule provided as a string.
suricata_check.py -o <output_folder>
Specify the output folder for the results.
suricata_check.py --log-level DEBUG
Set the verbosity level of logging to DEBUG.
suricata_check.py --github
Generate workflow commands for GitHub CI/CD integration.
suricata_check.py --gitlab
Generate CodeClimate output report for GitLab CI/CD.
suricata_check.py --evaluate-disabled
Include disabled rules in the evaluation.