#sigma #security #siem #apt #modifier #sigma-rules

sigma-rust

a library for parsing and checking Sigma rules against log events

1 unstable release

new 0.2.0 Oct 31, 2024

#767 in Parser implementations

MIT/Apache

105KB
2.5K SLoC

sigma-rust

A library for parsing and evaluating Sigma rules written in Rust.

Features

  • Supports all sigma modifiers except expand modifiers
  • Supports the whole Sigma condition syntax using Pratt parsing
  • Written in 100% safe Rust
  • Extensive test suite

Example

use sigma_rust::{rule_from_yaml, event_from_json};

fn main() {
    let rule_yaml = r#"
    title: A test rule
    logsource:
        category: test
    detection:
        selection_1:
            TargetFilename|contains: ':\temp\'
            TargetFilename|endswith:
                - '.au3'
                - '\autoit3.exe'
        selection_2:
            Image|contains: ':\temp\'
            Image|endswith:
                - '.au3'
                - '\autoit3.exe'
        condition: 1 of selection_*
    "#;

    let rule = rule_from_yaml(rule_yaml).unwrap();
    let event = event_from_json(
        r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe"}"#,
    )
        .unwrap();

    assert!(rule.is_match(&event));
}

Check out the examples folder for more examples.

Strong type checking

This library performs strong type checking. That is, if you have a rule like

selection:
  - myname: 42

it would not match the event {"myname": "42"}, however, it would match {"myname": 42} (note the difference between string and integer). If you need to match against several types you can define a rule such as the following.

selection_1:
  field: 42
selection_2:
  field: "42"
condition: 1 of them

License

Licensed under either of

at your option.

Dependencies

~5.5–7.5MB
~143K SLoC