sigma-rust

A Rust library for parsing and evaluating Sigma rules to create custom detection pipelines.

Features

• Supports the Sigma condition syntax using Pratt parsing
• Supports all Sigma field modifiers except expand
• Support for String wildcards
• Written in 100% safe Rust
• Daily automated security audit of dependencies
• Extensive test suite

Example

use sigma_rust::{rule_from_yaml, event_from_json};

fn main() {
    let rule_yaml = r#"
    title: A test rule
    logsource:
        category: test
    detection:
        selection_1:
            Event.ID: 42
            TargetFilename|contains: ':\temp\'
            TargetFilename|endswith:
                - '.au3'
                - '\autoit3.exe'
        selection_2:
            Image|contains: ':\temp\'
            Image|endswith:
                - '.au3'
                - '\autoit3.exe'
        condition: 1 of selection_*
    "#;

    let rule = rule_from_yaml(rule_yaml).unwrap();
    let event = event_from_json(
        r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe", "Event": {"ID": 42}}"#,
    )
        .unwrap();

    assert!(rule.is_match(&event));
}

Matching nested fields

You can access nested fields by using a dot . as a separator. For example, if you have an event like

{
  "Event": {
    "ID": 42
  }
}

you can access the ID field by using Event.ID in the Sigma rule. Note, that fields containing a dot take precedence over nested fields. For example, if you have an event like

{
  "Event.ID": 42,
  "Event": {
    "ID": 43
  }
}

the engine will evaluate Event.ID to 42.

Strong type checking

This library performs strong type checking. That is, if you have a rule like

selection:
  - myname: 42

it would not match the event {"myname": "42"}, however, it would match {"myname": 42} (note the difference between string and integer). If you need to match against several types you can define a rule such as the following.

selection_1:
  field: 42
selection_2:
  field: "42"
condition: 1 of them

License

Licensed under either of

• Apache License, Version 2.0, (LICENSE-APACHE or http://www.apache.org/licenses/LICENSE-2.0)
• MIT license (LICENSE-MIT or http://opensource.org/licenses/MIT)

at your option.

Contribution

Contributions are welcome! Please open an issue or create a pull request.

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.