#sigma #detection #siem #security #secops

sigmars

A library for sigmahq rule collections

3 unstable releases

0.2.0 Jan 7, 2025
0.1.1 Nov 7, 2024
0.1.0 Nov 7, 2024

#550 in Data structures

Download history 207/week @ 2024-11-06 10/week @ 2024-11-13 9/week @ 2024-11-20 1/week @ 2024-11-27 14/week @ 2024-12-04 13/week @ 2024-12-11 61/week @ 2025-01-01 71/week @ 2025-01-08

132 downloads per month

MIT license

98KB
2.5K SLoC

Sigmars

Sigmars is a Rust library for working with Sigma rules, which are used for describing log events in a generic format. This library provides functionality for parsing, evaluating, and managing Sigma rules.

Features

  • Manage collections of Sigma rules (similar to pySigma)
  • supports all Sigma 2.0 condition modifiers including fieldref
  • supports the full Sigma condition syntax (as a pest Pratt grammar)
  • supports correlation rules ()

Usage

As a collection of simple detections:

use std::error::Error;
use sigmars::{Event, SigmaCollection};
fn main() -> Result<(), Box<dyn Error>> {
  let rules: SigmaCollection = SigmaCollection::new_from_dir("/path/to/sigma/rules/");
  let log = json!({"foo": "bar"});
  let matches = rules.get_detection_matches(&event.into());
  ...
}

or with correlations (requires tokio) using an in-memory backend

use std::error::Error;
use tokio;
use sigmars::{Event, MemBackend, SigmaCollection};

#[tokio::main]
async fn main() -> Result<(), Box<dyn Error>> {
  let rules: SigmaCollection = SigmaCollection::new_from_dir("/path/to/sigma/rules/");

  let mut backend = MemBackend::new().await;
  rules.init(&mut backend);

  let log = json!({"foo": "bar"});
  let matches = rules.get_matches(&event.into()).await?;
  ...
}

License

This project is licensed under the MIT License. See the LICENSE file for details.

Contributing

Contributions are welcome! Please open an issue or submit a pull request.

References

Dependencies

~9–18MB
~237K SLoC