rsigma-parser 0.6.0

Parser for Sigma detection rules, correlations, and filters
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

//! # rsigma-parser
//!
//! A comprehensive parser for Sigma detection rules, correlations, and filters.
//!
//! This crate parses Sigma YAML files into a strongly-typed AST, handling:
//!
//! - **Detection rules**: field matching, wildcards, boolean conditions, field modifiers
//! - **Condition expressions**: `and`, `or`, `not`, `1 of`, `all of`, parenthesized groups
//! - **Correlation rules**: `event_count`, `value_count`, `temporal`, aggregations
//! - **Filter rules**: additional conditions applied to referenced rules
//! - **Rule collections**: multi-document YAML, `action: global/reset/repeat`
//! - **Value types**: strings with wildcards, numbers, booleans, null, regex, CIDR
//! - **All 30+ field modifiers**: `contains`, `endswith`, `startswith`, `re`, `cidr`,
//!   `base64`, `base64offset`, `wide`, `windash`, `all`, `cased`, `exists`, `fieldref`,
//!   comparison operators, regex flags, timestamp parts, and more
//!
//! ## Architecture
//!
//! - **PEG grammar** ([`pest`]) for condition expression parsing with correct operator
//!   precedence (`NOT` > `AND` > `OR`) and Pratt parsing
//! - **serde_yaml** for YAML structure deserialization
//! - **Custom parsing** for field modifiers, wildcard strings, and timespan values
//!
//! ## Quick Start
//!
//! ```rust
//! use rsigma_parser::parse_sigma_yaml;
//!
//! let yaml = r#"
//! title: Detect Whoami
//! logsource:
//!     product: windows
//!     category: process_creation
//! detection:
//!     selection:
//!         CommandLine|contains: 'whoami'
//!     condition: selection
//! level: medium
//! "#;
//!
//! let collection = parse_sigma_yaml(yaml).unwrap();
//! assert_eq!(collection.rules.len(), 1);
//! assert_eq!(collection.rules[0].title, "Detect Whoami");
//! ```
//!
//! ## Parsing condition expressions
//!
//! ```rust
//! use rsigma_parser::parse_condition;
//!
//! let expr = parse_condition("selection_main and 1 of selection_dword_* and not 1 of filter_*").unwrap();
//! println!("{expr}");
//! ```

pub mod ast;
pub mod condition;
pub mod error;
pub mod lint;
pub mod parser;
pub mod value;

// Re-export the most commonly used types and functions at crate root
pub use ast::{
    ConditionExpr, ConditionOperator, CorrelationCondition, CorrelationRule, CorrelationType,
    Detection, DetectionItem, Detections, FieldAlias, FieldSpec, FilterRule, Level, LogSource,
    Modifier, Quantifier, Related, RelationType, SelectorPattern, SigmaCollection, SigmaDocument,
    SigmaRule, Status,
};
pub use condition::parse_condition;
pub use error::{Result, SigmaParserError, SourceLocation};
pub use lint::{
    FileLintResult, Fix, FixDisposition, FixPatch, InlineSuppressions, LintConfig, LintRule,
    LintWarning, Severity, Span, apply_suppressions, lint_yaml_directory,
    lint_yaml_directory_with_config, lint_yaml_file, lint_yaml_file_with_config, lint_yaml_str,
    lint_yaml_str_with_config, lint_yaml_value, parse_inline_suppressions,
};
pub use parser::{parse_field_spec, parse_sigma_directory, parse_sigma_file, parse_sigma_yaml};
pub use value::{SigmaString, SigmaValue, SpecialChar, StringPart, Timespan};