rsigma_parser/lib.rs
1//! # rsigma-parser
2//!
3//! A comprehensive parser for Sigma detection rules, correlations, and filters.
4//!
5//! This crate parses Sigma YAML files into a strongly-typed AST, handling:
6//!
7//! - **Detection rules**: field matching, wildcards, boolean conditions, field modifiers
8//! - **Condition expressions**: `and`, `or`, `not`, `1 of`, `all of`, parenthesized groups
9//! - **Correlation rules**: `event_count`, `value_count`, `temporal`, aggregations
10//! - **Filter rules**: additional conditions applied to referenced rules
11//! - **Rule collections**: multi-document YAML, `action: global/reset/repeat`
12//! - **Value types**: strings with wildcards, numbers, booleans, null, regex, CIDR
13//! - **All 30+ field modifiers**: `contains`, `endswith`, `startswith`, `re`, `cidr`,
14//! `base64`, `base64offset`, `wide`, `windash`, `all`, `cased`, `exists`, `fieldref`,
15//! comparison operators, regex flags, timestamp parts, and more
16//!
17//! ## Architecture
18//!
19//! - **PEG grammar** ([`pest`]) for condition expression parsing with correct operator
20//! precedence (`NOT` > `AND` > `OR`) and Pratt parsing
21//! - **yaml_serde** for YAML structure deserialization
22//! - **Custom parsing** for field modifiers, wildcard strings, and timespan values
23//!
24//! ## Quick Start
25//!
26//! ```rust
27//! use rsigma_parser::parse_sigma_yaml;
28//!
29//! let yaml = r#"
30//! title: Detect Whoami
31//! logsource:
32//! product: windows
33//! category: process_creation
34//! detection:
35//! selection:
36//! CommandLine|contains: 'whoami'
37//! condition: selection
38//! level: medium
39//! "#;
40//!
41//! let collection = parse_sigma_yaml(yaml).unwrap();
42//! assert_eq!(collection.rules.len(), 1);
43//! assert_eq!(collection.rules[0].title, "Detect Whoami");
44//! ```
45//!
46//! ## Parsing condition expressions
47//!
48//! ```rust
49//! use rsigma_parser::parse_condition;
50//!
51//! let expr = parse_condition("selection_main and 1 of selection_dword_* and not 1 of filter_*").unwrap();
52//! println!("{expr}");
53//! ```
54
55pub mod ads;
56pub mod ast;
57pub mod condition;
58pub mod error;
59pub mod fieldpath;
60pub mod lint;
61pub mod parser;
62pub mod reference;
63pub mod selector;
64pub mod value;
65pub mod version;
66
67// Re-export the most commonly used types and functions at crate root
68pub use ads::{
69 AdsCarrier, AdsContent, AdsDocument, AdsScaffoldEntry, AdsSection, AdsSectionInfo,
70 AdsSectionStatus, ads_catalogue,
71};
72pub use ast::{
73 ArrayQuantifier, ConditionExpr, ConditionOperator, CorrelationCondition, CorrelationRule,
74 CorrelationType, Detection, DetectionItem, Detections, FieldAlias, FieldSpec, FilterRule,
75 FilterRuleTarget, Level, LogSource, Modifier, Quantifier, Related, RelationType,
76 SelectorPattern, SigmaCollection, SigmaDocument, SigmaRule, Status, WindowMode,
77};
78pub use condition::parse_condition;
79pub use error::{Result, SigmaParserError, SourceLocation};
80pub use lint::catalogue::{LintRuleInfo, catalogue};
81pub use lint::fix::{SourceFixOutcome, apply_fixes_to_source};
82pub use lint::{
83 AdsConfig, FileLintResult, Fix, FixDisposition, FixPatch, InlineSuppressions, LintConfig,
84 LintRule, LintWarning, Severity, Span, apply_suppressions, lint_yaml_directory,
85 lint_yaml_directory_with_config, lint_yaml_file, lint_yaml_file_with_config, lint_yaml_str,
86 lint_yaml_str_with_config, lint_yaml_value, parse_inline_suppressions,
87};
88pub use parser::{parse_field_spec, parse_sigma_directory, parse_sigma_file, parse_sigma_yaml};
89pub use selector::detection_name_matches;
90pub use value::{SigmaString, SigmaValue, SpecialChar, StringPart, Timespan};
91pub use version::{
92 SPEC_VERSION_ARRAY_MATCHING, SPEC_VERSION_FLOOR, SPEC_VERSION_SUPPORTED,
93 array_matching_enabled, is_unsupported, resolve_major,
94};