3 unstable releases
0.2.0 | Jan 7, 2025 |
---|---|
0.1.1 | Nov 7, 2024 |
0.1.0 | Nov 7, 2024 |
#550 in Data structures
132 downloads per month
98KB
2.5K
SLoC
Sigmars
Sigmars is a Rust library for working with Sigma rules, which are used for describing log events in a generic format. This library provides functionality for parsing, evaluating, and managing Sigma rules.
Features
- Manage collections of Sigma rules (similar to pySigma)
- supports all Sigma 2.0 condition modifiers including fieldref
- supports the full Sigma condition syntax (as a pest Pratt grammar)
- supports correlation rules ()
Usage
As a collection of simple detections:
use std::error::Error;
use sigmars::{Event, SigmaCollection};
fn main() -> Result<(), Box<dyn Error>> {
let rules: SigmaCollection = SigmaCollection::new_from_dir("/path/to/sigma/rules/");
let log = json!({"foo": "bar"});
let matches = rules.get_detection_matches(&event.into());
...
}
or with correlations (requires tokio) using an in-memory backend
use std::error::Error;
use tokio;
use sigmars::{Event, MemBackend, SigmaCollection};
#[tokio::main]
async fn main() -> Result<(), Box<dyn Error>> {
let rules: SigmaCollection = SigmaCollection::new_from_dir("/path/to/sigma/rules/");
let mut backend = MemBackend::new().await;
rules.init(&mut backend);
let log = json!({"foo": "bar"});
let matches = rules.get_matches(&event.into()).await?;
...
}
License
This project is licensed under the MIT License. See the LICENSE file for details.
Contributing
Contributions are welcome! Please open an issue or submit a pull request.
References
Dependencies
~9–18MB
~237K SLoC