rsigma-eval 0.6.0

Evaluator for Sigma detection and correlation rules — match rules against events
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54

//! Evaluation-specific error types.

use thiserror::Error;

/// Errors that can occur during rule compilation or evaluation.
#[derive(Debug, Error)]
pub enum EvalError {
    /// A regex pattern failed to compile.
    #[error("invalid regex pattern: {0}")]
    InvalidRegex(#[from] regex::Error),

    /// A CIDR pattern failed to parse.
    #[error("invalid CIDR: {0}")]
    InvalidCidr(#[from] ipnet::AddrParseError),

    /// A base64 operation failed.
    #[error("base64 encoding error: {0}")]
    Base64(String),

    /// A detection referenced in a condition was not found.
    #[error("unknown detection identifier: {0}")]
    UnknownDetection(String),

    /// A modifier combination is invalid.
    #[error("invalid modifier combination: {0}")]
    InvalidModifiers(String),

    /// A value type is incompatible with the modifier.
    #[error("incompatible value for modifier: {0}")]
    IncompatibleValue(String),

    /// A numeric value was expected but not found.
    #[error("expected numeric value: {0}")]
    ExpectedNumeric(String),

    /// A parser error propagated during compilation.
    #[error("parser error: {0}")]
    Parser(#[from] rsigma_parser::SigmaParserError),

    /// A correlation rule compilation or evaluation error.
    #[error("correlation error: {0}")]
    CorrelationError(String),

    /// A rule referenced by a correlation was not found.
    #[error("unknown rule reference: {0}")]
    UnknownRuleRef(String),

    /// A cycle was detected in correlation rule references.
    #[error("correlation cycle detected: {0}")]
    CorrelationCycle(String),
}

/// Convenience result type.
pub type Result<T> = std::result::Result<T, EvalError>;