rsigma-convert 0.15.0

Sigma rule conversion engine — convert rules to backend-native query strings
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

use crate::error::ConvertError;

/// Output from converting a single Sigma rule.
#[derive(Debug)]
pub struct ConversionResult {
    pub rule_title: String,
    pub rule_id: Option<String>,
    pub queries: Vec<String>,
    /// Non-fatal diagnostics for this rule. Populated when a backend can only
    /// approximate a requested feature (the Sigma "should warn, still convert"
    /// case), as opposed to a hard [`ConvertError`] which fails the rule.
    pub warnings: Vec<String>,
}

/// Aggregated output from converting a collection of rules.
#[derive(Debug)]
pub struct ConversionOutput {
    pub queries: Vec<ConversionResult>,
    pub errors: Vec<(String, ConvertError)>,
}

impl ConversionOutput {
    /// Iterate over every non-fatal warning as `(rule_title, message)` pairs.
    pub fn warnings(&self) -> impl Iterator<Item = (&str, &str)> {
        self.queries.iter().flat_map(|r| {
            r.warnings
                .iter()
                .map(move |w| (r.rule_title.as_str(), w.as_str()))
        })
    }

    pub fn new() -> Self {
        Self {
            queries: Vec::new(),
            errors: Vec::new(),
        }
    }
}

impl Default for ConversionOutput {
    fn default() -> Self {
        Self::new()
    }
}