Lib.rs

Parser implementations
#sigma #detection #security #siem #detect #sigma-rules

sigma-rust

A library for parsing and evaluating Sigma rules to create custom detection pipelines

by jopohl

5 unstable releases

new 0.4.1 Jan 17, 2025
0.4.0 Jan 16, 2025
0.3.0 Nov 28, 2024
0.2.1 Nov 1, 2024
0.2.0 Oct 31, 2024

#703 in Parser implementations

Download history 208/week @ 2024-10-27 27/week @ 2024-11-03 1/week @ 2024-11-10 3/week @ 2024-11-17 137/week @ 2024-11-24 28/week @ 2024-12-01 22/week @ 2024-12-08 1/week @ 2024-12-15 193/week @ 2025-01-12

193 downloads per month

MIT/Apache

110KB
2.5K SLoC

sigma-rust

Build codecov Crates.io Docs.rs

A Rust library for parsing and evaluating Sigma rules to create custom detection pipelines.

Features

  • Supports the Sigma condition syntax using Pratt parsing
  • Supports all Sigma field modifiers except expand
  • Written in 100% safe Rust
  • Daily automated security audit of dependencies
  • Extensive test suite

Example

use sigma_rust::{rule_from_yaml, event_from_json};

fn main() {
    let rule_yaml = r#"
    title: A test rule
    logsource:
        category: test
    detection:
        selection_1:
            Event.ID: 42
            TargetFilename|contains: ':\temp\'
            TargetFilename|endswith:
                - '.au3'
                - '\autoit3.exe'
        selection_2:
            Image|contains: ':\temp\'
            Image|endswith:
                - '.au3'
                - '\autoit3.exe'
        condition: 1 of selection_*
    "#;

    let rule = rule_from_yaml(rule_yaml).unwrap();
    let event = event_from_json(
        r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe", "Event": {"ID": 42}}"#,
    )
        .unwrap();

    assert!(rule.is_match(&event));
}

Matching nested fields

You can access nested fields by using a dot . as a separator. For example, if you have an event like

{
  "Event": {
    "ID": 42
  }
}

you can access the ID field by using Event.ID in the Sigma rule. Note, that fields containing a dot take precedence over nested fields. For example, if you have an event like

{
  "Event.ID": 42,
  "Event": {
    "ID": 43
  }
}

the engine will evaluate Event.ID to 42.

Strong type checking

This library performs strong type checking. That is, if you have a rule like

selection:
  - myname: 42

it would not match the event {"myname": "42"}, however, it would match {"myname": 42} (note the difference between string and integer). If you need to match against several types you can define a rule such as the following.

selection_1:
  field: 42
selection_2:
  field: "42"
condition: 1 of them

License

Licensed under either of

at your option.

Contribution

Contributions are welcome! Please open an issue or create a pull request.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Dependencies

~5–7.5MB
~141K SLoC