sigma-rust
| Crates.io | sigma-rust |
| lib.rs | sigma-rust |
| version | 0.6.0 |
| created_at | 2024-10-31 13:42:41.660068+00 |
| updated_at | 2025-05-08 18:44:28.856286+00 |
| description | A library for parsing and evaluating Sigma rules to create custom detection pipelines |
| homepage | |
| repository | https://github.com/jopohl/sigma-rust |
| max_upload_size | |
| id | 1430018 |
| size | 190,862 |
Dr.-Ing. Johannes Pohl (jopohl)
documentation
README
sigma-rust
A Rust library for parsing and evaluating Sigma rules to create custom detection pipelines.
Features
- Supports the Sigma condition syntax using Pratt parsing
- Supports all Sigma field modifiers except
expand - Support for String wildcards
- Written in 100% safe Rust
- Daily automated security audit of dependencies
- Extensive test suite
Example
use sigma_rust::{rule_from_yaml, event_from_json};
fn main() {
let rule_yaml = r#"
title: A test rule
logsource:
category: test
detection:
selection_1:
Event.ID: 42
TargetFilename|contains: ':\temp\'
TargetFilename|endswith:
- '.au3'
- '\autoit3.exe'
selection_2:
Image|contains: ':\temp\'
Image|endswith:
- '.au3'
- '\autoit3.exe'
condition: 1 of selection_*
"#;
let rule = rule_from_yaml(rule_yaml).unwrap();
let event = event_from_json(
r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe", "Event": {"ID": 42}}"#,
)
.unwrap();
assert!(rule.is_match(&event));
}
Matching nested fields
You can access nested fields by using a dot . as a separator. For example, if you have an event like
{
"Event": {
"ID": 42
}
}
you can access the ID field by using Event.ID in the Sigma rule. Note, that fields containing a dot take
precedence over nested fields. For example, if you have an event like
{
"Event.ID": 42,
"Event": {
"ID": 43
}
}
the engine will evaluate Event.ID to 42.
Strong type checking
This library performs strong type checking. That is, if you have a rule like
selection:
- myname: 42
it would not match the event {"myname": "42"}, however, it would match {"myname": 42} (note the difference
between string and integer).
If you need to match against several types you can define a rule such as the following.
selection_1:
field: 42
selection_2:
field: "42"
condition: 1 of them
License
Licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Contribution
Contributions are welcome! Please open an issue or create a pull request.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.