rsigma 0.17.0

CLI for parsing, validating, linting and evaluating Sigma detection rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

//! Integration tests for the async sink delivery layer: per-sink `?on_full`
//! policy parsing, multi-sink fan-out, and the per-sink / input-source
//! delivery metrics. Runs under the default `daemon` feature (HTTP input,
//! file output) so no external broker is needed.

mod common;

use std::time::Duration;

use common::{DaemonProcess, SIMPLE_RULE, http_get, http_post, poll_until, temp_file};

const MATCHING_EVENT: &str = r#"{"CommandLine":"run malware.exe"}"#;

fn file_contains(path: &std::path::Path, needle: &str) -> bool {
    std::fs::read_to_string(path)
        .unwrap_or_default()
        .contains(needle)
}

#[test]
fn on_full_drop_sink_is_accepted_and_delivers() {
    let rule = temp_file(".yml", SIMPLE_RULE);
    let out = temp_file(".ndjson", "");
    let out_spec = format!("file://{}?on_full=drop", out.path().display());
    let daemon = DaemonProcess::spawn_http_with_args(
        rule.path().to_str().unwrap(),
        &["--output", &out_spec],
    );

    let (status, _) = http_post(&daemon.url("/api/v1/events"), MATCHING_EVENT);
    assert_eq!(status, 200, "event ingestion should be accepted");

    let delivered = poll_until(Duration::from_secs(5), || {
        file_contains(out.path(), "Test Rule").then_some(())
    });
    assert!(
        delivered.is_some(),
        "detection should reach an ?on_full=drop sink under normal (non-saturated) load",
    );
}

#[test]
fn fan_out_delivers_to_every_sink() {
    let rule = temp_file(".yml", SIMPLE_RULE);
    let a = temp_file(".ndjson", "");
    let b = temp_file(".ndjson", "");
    let a_spec = format!("file://{}", a.path().display());
    let b_spec = format!("file://{}", b.path().display());
    let daemon = DaemonProcess::spawn_http_with_args(
        rule.path().to_str().unwrap(),
        &["--output", &a_spec, "--output", &b_spec],
    );

    let (status, _) = http_post(&daemon.url("/api/v1/events"), MATCHING_EVENT);
    assert_eq!(status, 200);

    let both = poll_until(Duration::from_secs(5), || {
        (file_contains(a.path(), "Test Rule") && file_contains(b.path(), "Test Rule")).then_some(())
    });
    assert!(
        both.is_some(),
        "fan-out must deliver the detection to every leaf sink",
    );
}

#[test]
fn sink_and_input_metrics_are_exposed() {
    let rule = temp_file(".yml", SIMPLE_RULE);
    let out = temp_file(".ndjson", "");
    let out_spec = format!("file://{}", out.path().display());
    let daemon = DaemonProcess::spawn_http_with_args(
        rule.path().to_str().unwrap(),
        &["--output", &out_spec],
    );

    let (status, _) = http_post(&daemon.url("/api/v1/events"), MATCHING_EVENT);
    assert_eq!(status, 200);
    poll_until(Duration::from_secs(5), || {
        file_contains(out.path(), "Test Rule").then_some(())
    });

    let (status, body) = http_get(&daemon.url("/metrics"));
    assert_eq!(status, 200);
    // The per-sink delivery metric is pre-registered with the sink kind
    // label when the worker starts, so it is present even before saturation.
    assert!(
        body.contains("rsigma_sink_queue_depth"),
        "per-sink delivery gauge must be exposed",
    );
    assert!(
        body.contains(r#"sink="file""#),
        "the file sink's label must be present: {body}",
    );
    // Input-source metric parity: the HTTP push receiver feeds the same
    // gauge the pull sources do.
    assert!(
        body.contains("rsigma_input_queue_depth"),
        "input-queue-depth gauge must be exposed",
    );
}

/// An OTLP output sink pointed at an unreachable collector should, after
/// exhausting retries, route the failed result to the DLQ. With
/// `--sink-retry-max 0` the first failure is terminal, keeping the test fast
/// and deterministic. Exercises the `otlphttp://` grammar, OTLP sink
/// construction, the delivery layer, and the DLQ bridge end to end.
#[cfg(feature = "daemon-otlp")]
#[test]
fn otlp_sink_unreachable_endpoint_routes_to_dlq() {
    let rule = temp_file(".yml", SIMPLE_RULE);
    let dlq = temp_file(".ndjson", "");
    let dlq_spec = format!("file://{}", dlq.path().display());
    let daemon = DaemonProcess::spawn_http_with_args(
        rule.path().to_str().unwrap(),
        &[
            "--output",
            "otlphttp://127.0.0.1:1",
            "--dlq",
            &dlq_spec,
            "--sink-retry-max",
            "0",
        ],
    );

    let (status, _) = http_post(&daemon.url("/api/v1/events"), MATCHING_EVENT);
    assert_eq!(status, 200);

    let dlqd = poll_until(Duration::from_secs(10), || {
        file_contains(dlq.path(), "sink delivery failure").then_some(())
    });
    assert!(
        dlqd.is_some(),
        "an unreachable OTLP sink should route the failed result to the DLQ",
    );
}

/// An `otlps://` (gRPC TLS) sink with a `ca=` query parameter must parse the
/// scheme, read and validate the CA PEM, build the TLS client, and (against an
/// unreachable collector) route the failed delivery to the DLQ. Exercises the
/// CLI's TLS-scheme grammar and `ca=` file loading end to end.
#[cfg(feature = "daemon-otlp")]
#[test]
fn otlps_tls_sink_with_ca_routes_unreachable_to_dlq() {
    use rcgen::{BasicConstraints, CertificateParams, IsCa, KeyPair};

    let mut ca_params = CertificateParams::new(Vec::<String>::new()).unwrap();
    ca_params.is_ca = IsCa::Ca(BasicConstraints::Unconstrained);
    let ca_key = KeyPair::generate().unwrap();
    let ca_cert = ca_params.self_signed(&ca_key).unwrap();
    let ca_file = temp_file(".pem", &ca_cert.pem());

    let rule = temp_file(".yml", SIMPLE_RULE);
    let dlq = temp_file(".ndjson", "");
    let dlq_spec = format!("file://{}", dlq.path().display());
    let out_spec = format!("otlps://127.0.0.1:1?ca={}", ca_file.path().display());
    let daemon = DaemonProcess::spawn_http_with_args(
        rule.path().to_str().unwrap(),
        &[
            "--output",
            &out_spec,
            "--dlq",
            &dlq_spec,
            "--sink-retry-max",
            "0",
        ],
    );

    let (status, _) = http_post(&daemon.url("/api/v1/events"), MATCHING_EVENT);
    assert_eq!(status, 200);

    let dlqd = poll_until(Duration::from_secs(10), || {
        file_contains(dlq.path(), "sink delivery failure").then_some(())
    });
    assert!(
        dlqd.is_some(),
        "an unreachable otlps sink should still build TLS and route to the DLQ",
    );
}