Skip to content
/ sigma-rust Public

A Rust library for parsing and evaluating Sigma rules

crates.io/crates/sigma-rust

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jopohl/sigma-rust

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.github/workflows
.github/workflows
 
 
examples
examples
 
 
src
src
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE-APACHE
LICENSE-APACHE
 
 
LICENSE-MIT
LICENSE-MIT
 
 
README.md
README.md
 
 

Repository files navigation

sigma-rust

Build codecov Crates.io Docs.rs

A Rust library for parsing and evaluating Sigma rules to create custom detection pipelines.

Features

  • Supports all1 sigma modifiers including the unofficial fieldref modifier
  • Supports the whole Sigma condition syntax using Pratt parsing
  • Written in 100% safe Rust
  • Daily automated security audit of dependencies
  • Extensive test suite

Example

use sigma_rust::{rule_from_yaml, event_from_json};

fn main() {
    let rule_yaml = r#"
    title: A test rule
    logsource:
        category: test
    detection:
        selection_1:
            Event.ID: 42
            TargetFilename|contains: ':\temp\'
            TargetFilename|endswith:
                - '.au3'
                - '\autoit3.exe'
        selection_2:
            Image|contains: ':\temp\'
            Image|endswith:
                - '.au3'
                - '\autoit3.exe'
        condition: 1 of selection_*
    "#;

    let rule = rule_from_yaml(rule_yaml).unwrap();
    let event = event_from_json(
        r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe", "Event": {"ID": 42}}"#,
    )
        .unwrap();

    assert!(rule.is_match(&event));
}

Matching nested fields

You can access nested fields by using a dot . as a separator. For example, if you have an event like

{
  "Event": {
    "ID": 42
  }
}

you can access the ID field by using Event.ID in the Sigma rule. Note, that fields containing a dot take precedence over nested fields. For example, if you have an event like

{
  "Event.ID": 42,
  "Event": {
    "ID": 43
  }
}

the engine will evaluate Event.ID to 42.

Strong type checking

This library performs strong type checking. That is, if you have a rule like

selection:
  - myname: 42

it would not match the event {"myname": "42"}, however, it would match {"myname": 42} (note the difference between string and integer). If you need to match against several types you can define a rule such as the following.

selection_1:
  field: 42
selection_2:
  field: "42"
condition: 1 of them

License

Licensed under either of

at your option.

Contribution

Contributions are welcome! Please open an issue or create a pull request.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Footnotes

  1. Except the expand modifier.

About

A Rust library for parsing and evaluating Sigma rules

crates.io/crates/sigma-rust

Resources

Readme

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v0.3.0 Latest
Nov 28, 2024
+ 1 release

Packages

No packages published

Languages