Suricata

Suricata rules syntax checking should perform sanity checking on IP network prefixes. The validation would ensure that the address portion of a network prefix matches the expected base address for the given prefix length - for example, ensuring that a /24 prefix has a base address ending in .0, or that a /28 prefix has a base address ending in .0, .16, .32, etc. The validation also needs to be applied to Suricata variables that reference IPv4/v6 network prefixes. This validation would prevent user mistakes, that can lead to permitting or denying larger IP address ranges than the rule author intended.

Example 1: a user can today define HOME_NET = 10.3.4.5/16
Security best practice would suggest that the user should use HOME_NET = 10.3.0.0/16

Example 2: a copy and paste error could result in a user defining the following rule:
pass tcp 10.56.3.224/2 any -> 20.21.22.23 443 (msg:\"Allow access to webserver"; sid: 1453;)
When the user intended to only allow 10.56.3.224/27