Lib.rs

Parser implementations
#sigma #detection #security #siem #detect #sigma-rules

sigma-rust

A library for parsing and evaluating Sigma rules to create custom detection pipelines

by jopohl

3 unstable releases

0.3.0 Nov 28, 2024
0.2.1 Nov 1, 2024
0.2.0 Oct 31, 2024

#598 in Parser implementations

Download history 219/week @ 2024-10-28 17/week @ 2024-11-04 3/week @ 2024-11-18 143/week @ 2024-11-25 23/week @ 2024-12-02 22/week @ 2024-12-09

191 downloads per month

MIT/Apache

105KB
2.5K SLoC

sigma-rust

Build codecov Crates.io Docs.rs

A Rust library for parsing and evaluating Sigma rules to create custom detection pipelines.

Features

  • Supports all[^1] sigma modifiers including the unofficial fieldref modifier
  • Supports the whole Sigma condition syntax using Pratt parsing
  • Written in 100% safe Rust
  • Daily automated security audit of dependencies
  • Extensive test suite

[^1]: Except the expand modifier.

Example

use sigma_rust::{rule_from_yaml, event_from_json};

fn main() {
    let rule_yaml = r#"
    title: A test rule
    logsource:
        category: test
    detection:
        selection_1:
            Event.ID: 42
            TargetFilename|contains: ':\temp\'
            TargetFilename|endswith:
                - '.au3'
                - '\autoit3.exe'
        selection_2:
            Image|contains: ':\temp\'
            Image|endswith:
                - '.au3'
                - '\autoit3.exe'
        condition: 1 of selection_*
    "#;

    let rule = rule_from_yaml(rule_yaml).unwrap();
    let event = event_from_json(
        r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe", "Event": {"ID": 42}}"#,
    )
        .unwrap();

    assert!(rule.is_match(&event));
}

Matching nested fields

You can access nested fields by using a dot . as a separator. For example, if you have an event like

{
  "Event": {
    "ID": 42
  }
}

you can access the ID field by using Event.ID in the Sigma rule. Note, that fields containing a dot take precedence over nested fields. For example, if you have an event like

{
  "Event.ID": 42,
  "Event": {
    "ID": 43
  }
}

the engine will evaluate Event.ID to 42.

Strong type checking

This library performs strong type checking. That is, if you have a rule like

selection:
  - myname: 42

it would not match the event {"myname": "42"}, however, it would match {"myname": 42} (note the difference between string and integer). If you need to match against several types you can define a rule such as the following.

selection_1:
  field: 42
selection_2:
  field: "42"
condition: 1 of them

License

Licensed under either of

at your option.

Contribution

Contributions are welcome! Please open an issue or create a pull request.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Dependencies

~5–7.5MB
~141K SLoC