# Imports

In [11]:
import sys
import os
import json

# Add the snort performance evaluator module path
sys.path.insert(0, os.path.abspath(os.path.join(os.getcwd(), '../../../src/validator/performance/snort')))

# Snort Sample Performance Validator Script

In [14]:
# Quick evaluation
from snort_performance_evaluator import evaluate
result = evaluate('alert tcp any any -> any 80 (msg:"Test"; pcre:"/.*admin.*/"; sid:1;)')
print(json.dumps(result, indent=2))

{
  "rule": "alert tcp any any -> any 80 (msg:\"Test\"; pcre:\"/.*admin.*/\"; sid:1;)",
  "score": 8,
  "risk_level": "High Performance Risk",
  "reasons": [
    "PCRE regex usage has inherent performance cost",
    "Greedy wildcard pattern (.*/.+) causes excessive backtracking"
  ],
  "suggestions": [
    "Consider replacing PCRE with 'content' + 'within'/'distance' if possible",
    "Use non-greedy quantifiers (.*?/.+?) or limit with {n,m}"
  ]
}


In [15]:
# Class-based evaluation
from snort_performance_evaluator import SnortPerformanceEvaluator
evaluator = SnortPerformanceEvaluator()
rule_string = 'alert tcp any any -> any 80 (msg:"Test"; pcre:"/.*admin.*/"; sid:1;)'
result = evaluator.evaluate_rule(rule_string)
print(json.dumps(json.loads(result.to_json()), indent=2))

{
  "rule": "alert tcp any any -> any 80 (msg:\"Test\"; pcre:\"/.*admin.*/\"; sid:1;)",
  "score": 8,
  "risk_level": "High Performance Risk",
  "reasons": [
    "PCRE regex usage has inherent performance cost",
    "Greedy wildcard pattern (.*/.+) causes excessive backtracking"
  ],
  "suggestions": [
    "Consider replacing PCRE with 'content' + 'within'/'distance' if possible",
    "Use non-greedy quantifiers (.*?/.+?) or limit with {n,m}"
  ]
}


In [17]:
# Batch evaluation with report
list_of_rules = [
    'alert tcp any any -> any 80 (msg:"Test"; pcre:"/.*admin.*/"; sid:1;)',
    'alert tcp any any -> any 443 (msg:"HTTPS Test"; content:"POST"; sid:2;)',
    'alert icmp any any -> any any (msg:"ICMP Test"; itype:8; sid:3;)'
]
results = evaluator.evaluate_rules(list_of_rules)
report = evaluator.generate_report(results, 'json')
print(report)

{
  "summary": {
    "total_rules": 3,
    "efficient": 2,
    "needs_optimization": 0,
    "high_risk": 1,
    "average_score": 2.6666666666666665
  },
  "rules": [
    {
      "rule": "alert tcp any any -> any 80 (msg:\"Test\"; pcre:\"/.*admin.*/\"; sid:1;)",
      "score": 8,
      "risk_level": "High Performance Risk",
      "reasons": [
        "PCRE regex usage has inherent performance cost",
        "Greedy wildcard pattern (.*/.+) causes excessive backtracking"
      ],
      "suggestions": [
        "Consider replacing PCRE with 'content' + 'within'/'distance' if possible",
        "Use non-greedy quantifiers (.*?/.+?) or limit with {n,m}"
      ]
    },
    {
      "rule": "alert tcp any any -> any 443 (msg:\"HTTPS Test\"; content:\"POST\"; sid:2;)",
      "score": 0,
      "risk_level": "Efficient",
      "reasons": [],
      "suggestions": []
    },
    {
      "rule": "alert icmp any any -> any any (msg:\"ICMP Test\"; itype:8; sid:3;)",
      "score": 0,
      "risk_level"