rsigma 0.15.0

CLI for parsing, validating, linting and evaluating Sigma detection rules
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132

# yaml-language-server: $schema=https://timescale.github.io/rsigma/rsigma.schema.json
#
# rsigma configuration file.
#
# Precedence (low to high):
#   compiled defaults < /etc/rsigma < ~/.config/rsigma < .rsigmarc < ./rsigma.yaml < env < CLI flags
#
# Discovery: place this at ./rsigma.yaml, ~/.config/rsigma/config.yaml, or
# /etc/rsigma/config.yaml, or point at it with `--config <path>`.
# Regenerate the JSON Schema with: rsigma config schema
version: 1

global:
  # Diagnostic log format on stderr: text | json (maps to --log-format).
  log_format: text
  # Color policy for human-friendly output: auto | always | never.
  # `auto` honors NO_COLOR and disables color when stdout is not a TTY.
  # color: auto
  # Default structured output format: json | ndjson | table | csv | tsv.
  # Default behavior (when unset): pretty JSON on a TTY, NDJSON when piped.
  # output_format: json

daemon:
  # Path to a Sigma rule file or directory.
  rules: /etc/rsigma/rules
  # Builtin pipeline names (ecs_windows, sysmon) or YAML file paths.
  pipelines: []
  # External dynamic-source files or directories (repeatable).
  sources: []
  # Post-evaluation enricher config file.
  # enrichers: /etc/rsigma/enrichers.yml

  api:
    # Bind address for health, metrics, and the HTTP/OTLP API.
    addr: "0.0.0.0:9090"
    # TLS settings (ignored unless built with the daemon-tls feature).
    # tls:
    #   cert: /etc/rsigma/tls/cert.pem
    #   key: /etc/rsigma/tls/key.pem
    #   client_ca: /etc/rsigma/tls/ca.pem
    #   min_version: "1.3"
    #   allow_plaintext: false

  input:
    # Event source: stdin | http | nats://host:port/subject
    source: stdin
    # Log format: auto | json | syslog | plain | logfmt | cef
    format: auto
    # Default timezone offset for RFC 3164 syslog.
    syslog_tz: "+00:00"
    # Strip a leading UTF-8 BOM from RFC 5424 syslog messages (RFC 5424 treats
    # it as an encoding marker, not content). Set false to keep it byte-for-byte.
    syslog_strip_bom: true
    # Channel capacity for source->engine and engine->sink queues.
    buffer_size: 10000
    # Max events processed per engine lock acquisition.
    batch_size: 1
    # jq filter / JSONPath query to extract the event payload (mutually exclusive).
    # jq: ".event"
    # jsonpath: "$.event"

  output:
    # Detection sinks (repeatable): stdout | file://path | nats://host:port/subject
    sinks: [stdout]
    # Dead-letter queue for events that fail processing.
    # dlq: "file:///var/lib/rsigma/dlq.ndjson"
    # Seconds to wait for in-flight events to drain on shutdown.
    drain_timeout: 5
    # Include the full event JSON in each detection.
    include_event: false
    # Pretty-print JSON output.
    pretty: false

  correlation:
    # Suppression window for correlation alerts (e.g. 5m, 1h, 30s).
    # suppress: 5m
    # Action after a correlation fires: alert | reset
    action: alert
    # Correlation event inclusion: none | full | refs
    event_mode: none
    # Max events stored per correlation window group.
    max_events: 10
    # Extra event field names for timestamp extraction.
    # timestamp_fields: ["@timestamp"]
    # Behavior when no timestamp field is found: wallclock | skip
    timestamp_fallback: wallclock
    # Suppress detection output for correlation-only rules.
    no_detections: false

  state:
    # SQLite database for persisting correlation state across restarts.
    # db: /var/lib/rsigma/state.db
    # Seconds between periodic state snapshots.
    save_interval: 30

  engine:
    # Enable bloom-filter pre-filtering of positive substring matchers.
    bloom_prefilter: false
    # Match-detail verbosity for detection output: off (default), summary, full.
    # summary adds the matcher kind/selection (and keyword/absence matches);
    # full also records the matched pattern. off keeps the {field, value} shape.
    match_detail: off
    # Memory budget (bytes) for the bloom index. No effect unless bloom_prefilter.
    # bloom_max_bytes: 1048576
    # Observe event field keys for coverage reporting.
    observe_fields: false
    # Hard ceiling on distinct field names tracked by the observer.
    observe_fields_max_keys: 10000
    # Allow include directives to reference remote (HTTP/NATS) sources.
    allow_remote_include: false
    # Enable the cross-rule Aho-Corasick pre-filter (daachorse-index feature).
    # cross_rule_ac: false
    # HTTP egress policy applied to dynamic-source and enrichment HTTP clients.
    # default    = block link-local + cloud-metadata (SSRF defense, allow loopback / private).
    # strict     = also block loopback + RFC1918 private (recommended for hardened deployments).
    # permissive = allow every resolved address (only for tightly controlled environments).
    egress_policy: default

  # NATS secrets (creds/token/password/nkey) are NOT configurable here by
  # design; supply them via environment variables. Ignored unless daemon-nats.
  # nats:
  #   consumer_group: rsigma

eval:
  # Default rules path for `rsigma engine eval`.
  # rules: ./rules
  # pipelines: [sysmon]
  input_format: auto
  syslog_tz: "+00:00"
  # Strip a leading UTF-8 BOM from RFC 5424 syslog messages. Set false to keep it.
  syslog_strip_bom: true
  fail_on_detection: false