2 releases
0.2.1 | Nov 1, 2024 |
---|---|
0.2.0 | Oct 31, 2024 |
#622 in Parser implementations
236 downloads per month
105KB
2.5K
SLoC
sigma-rust
A Rust library for parsing and evaluating Sigma rules to create custom detection pipelines.
Features
- Supports all sigma modifiers except
expand
- Supports the whole Sigma condition syntax using Pratt parsing
- Written in 100% safe Rust
- Daily automated security audit of dependencies
- Extensive test suite
Example
use sigma_rust::{rule_from_yaml, event_from_json};
fn main() {
let rule_yaml = r#"
title: A test rule
logsource:
category: test
detection:
selection_1:
TargetFilename|contains: ':\temp\'
TargetFilename|endswith:
- '.au3'
- '\autoit3.exe'
selection_2:
Image|contains: ':\temp\'
Image|endswith:
- '.au3'
- '\autoit3.exe'
condition: 1 of selection_*
"#;
let rule = rule_from_yaml(rule_yaml).unwrap();
let event = event_from_json(
r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe"}"#,
)
.unwrap();
assert!(rule.is_match(&event));
}
Check out the examples
folder for more examples.
Strong type checking
This library performs strong type checking. That is, if you have a rule like
selection:
- myname: 42
it would not match the event {"myname": "42"}
, however, it would match {"myname": 42}
(note the difference
between string and integer).
If you need to match against several types you can define a rule such as the following.
selection_1:
field: 42
selection_2:
field: "42"
condition: 1 of them
License
Licensed under either of
- Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
- MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)
at your option.
Dependencies
~5–7.5MB
~142K SLoC