sigma-rust
| Crates.io | sigma-rust |
| lib.rs | sigma-rust |
| version | 0.2.1 |
| source | src |
| created_at | 2024-10-31 13:42:41.660068 |
| updated_at | 2024-11-01 10:09:35.789864 |
| description | A library for parsing and evaluating Sigma rules to create custom detection pipelines |
| homepage | |
| repository | https://github.com/jopohl/sigma-rust |
| max_upload_size | |
| id | 1430018 |
| size | 138,237 |
Dr.-Ing. Johannes Pohl (jopohl)
documentation
README
sigma-rust
A Rust library for parsing and evaluating Sigma rules to create custom detection pipelines.
Features
- Supports all sigma modifiers except
expand - Supports the whole Sigma condition syntax using Pratt parsing
- Written in 100% safe Rust
- Daily automated security audit of dependencies
- Extensive test suite
Example
use sigma_rust::{rule_from_yaml, event_from_json};
fn main() {
let rule_yaml = r#"
title: A test rule
logsource:
category: test
detection:
selection_1:
TargetFilename|contains: ':\temp\'
TargetFilename|endswith:
- '.au3'
- '\autoit3.exe'
selection_2:
Image|contains: ':\temp\'
Image|endswith:
- '.au3'
- '\autoit3.exe'
condition: 1 of selection_*
"#;
let rule = rule_from_yaml(rule_yaml).unwrap();
let event = event_from_json(
r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe"}"#,
)
.unwrap();
assert!(rule.is_match(&event));
}
Check out the examples folder for more examples.
Strong type checking
This library performs strong type checking. That is, if you have a rule like
selection:
- myname: 42
it would not match the event {"myname": "42"}, however, it would match {"myname": 42} (note the difference
between string and integer).
If you need to match against several types you can define a rule such as the following.
selection_1:
field: 42
selection_2:
field: "42"
condition: 1 of them
License
Licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.