sigmars
| Crates.io | sigmars |
| lib.rs | sigmars |
| version | 0.2.0 |
| source | src |
| created_at | 2024-11-07 16:58:06.697223 |
| updated_at | 2025-01-07 17:39:27.815398 |
| description | A library for sigmahq rule collections |
| homepage | |
| repository | https://github.com/crowdalert/sigmars |
| max_upload_size | |
| id | 1439980 |
| size | 98,723 |
John Sonnenschein (sonnens)
documentation
README
Sigmars
Sigmars is a Rust library for working with Sigma rules, which are used for describing log events in a generic format. This library provides functionality for parsing, evaluating, and managing Sigma rules.
Features
- Manage collections of Sigma rules (similar to pySigma)
- supports all Sigma 2.0 condition modifiers including fieldref
- supports the full Sigma condition syntax (as a pest Pratt grammar)
- supports correlation rules ()
Usage
As a collection of simple detections:
use std::error::Error;
use sigmars::{Event, SigmaCollection};
fn main() -> Result<(), Box<dyn Error>> {
let rules: SigmaCollection = SigmaCollection::new_from_dir("/path/to/sigma/rules/");
let log = json!({"foo": "bar"});
let matches = rules.get_detection_matches(&event.into());
...
}
or with correlations (requires tokio) using an in-memory backend
use std::error::Error;
use tokio;
use sigmars::{Event, MemBackend, SigmaCollection};
#[tokio::main]
async fn main() -> Result<(), Box<dyn Error>> {
let rules: SigmaCollection = SigmaCollection::new_from_dir("/path/to/sigma/rules/");
let mut backend = MemBackend::new().await;
rules.init(&mut backend);
let log = json!({"foo": "bar"});
let matches = rules.get_matches(&event.into()).await?;
...
}
License
This project is licensed under the MIT License. See the LICENSE file for details.
Contributing
Contributions are welcome! Please open an issue or submit a pull request.