Skip to main content

Crate rsigma_eval

Crate rsigma_eval 

Source
Expand description

§rsigma-eval

Evaluator for Sigma detection and correlation rules.

This crate consumes the AST produced by rsigma_parser and evaluates it against events in real time using a compile-then-evaluate model.

§Architecture

  • Detection rules (stateless): compiled once into optimized matchers, each event is matched with zero allocation on the hot path.
  • Correlation rules (stateful): time-windowed aggregation over detection matches, supporting event_count, value_count, temporal, temporal_ordered, value_sum, value_avg, value_percentile, and value_median.

§Quick Start — Detection Only

use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::Engine;
use rsigma_eval::event::JsonEvent;
use serde_json::json;

let yaml = r#"
title: Detect Whoami
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: 'whoami'
    condition: selection
level: medium
"#;

let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = Engine::new();
engine.add_collection(&collection).unwrap();

let event_val = json!({"CommandLine": "cmd /c whoami"});
let event = JsonEvent::borrow(&event_val);
let matches = engine.evaluate(&event);
assert_eq!(matches.len(), 1);

§Quick Start — With Correlations

use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::{CorrelationEngine, CorrelationConfig};
use rsigma_eval::event::JsonEvent;
use serde_json::json;

let yaml = r#"
title: Login
id: login-rule
logsource:
    category: auth
detection:
    selection:
        EventType: login
    condition: selection
---
title: Many Logins
correlation:
    type: event_count
    rules:
        - login-rule
    group-by:
        - User
    timespan: 60s
    condition:
        gte: 3
level: high
"#;

let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = CorrelationEngine::new(CorrelationConfig::default());
engine.add_collection(&collection).unwrap();

for i in 0..3 {
    let v = json!({"EventType": "login", "User": "admin"});
    let event = JsonEvent::borrow(&v);
    let result = engine.process_event_at(&event, 1000 + i);
    if i == 2 {
        let correlations = result.iter().filter(|r| r.is_correlation()).count();
        assert_eq!(correlations, 1);
    }
}

Re-exports§

pub use compiler::CompiledDetection;
pub use compiler::CompiledDetectionItem;
pub use compiler::CompiledRule;
pub use compiler::compile_rule;
pub use compiler::evaluate_rule;
pub use correlation::CompiledCondition;
pub use correlation::CompiledCorrelation;
pub use correlation::EventBuffer;
pub use correlation::EventRef;
pub use correlation::EventRefBuffer;
pub use correlation::GroupByField;
pub use correlation::GroupKey;
pub use correlation::WindowState;
pub use correlation_engine::CorrelationAction;
pub use correlation_engine::CorrelationConfig;
pub use correlation_engine::CorrelationEngine;
pub use correlation_engine::CorrelationEventMode;
pub use correlation_engine::CorrelationInfo;
pub use correlation_engine::CorrelationSnapshot;
pub use correlation_engine::CorrelationStateSnapshot;
pub use correlation_engine::GroupKeyPart;
pub use correlation_engine::GroupStateInfo;
pub use correlation_engine::ProcessResult;
pub use correlation_engine::TimestampFallback;
pub use engine::Engine;
pub use error::EvalError;
pub use error::Result;
pub use event::Event;
pub use event::EventValue;
pub use event::JsonEvent;
pub use event::KvEvent;
pub use event::MapEvent;
pub use event::MappedEvent;
pub use event::PlainEvent;
pub use explain::ConditionTrace;
pub use explain::DetectionTrace;
pub use explain::ItemTrace;
pub use explain::MatchReason;
pub use explain::RuleExplanation;
pub use explain::SelectionBranch;
pub use explain::explain_rule;
pub use field_observer::FieldCoverage;
pub use field_observer::FieldObservation;
pub use field_observer::FieldObservationEntry;
pub use field_observer::FieldObserver;
pub use fields::FieldOrigin;
pub use fields::FieldSource;
pub use fields::RuleFieldSet;
pub use logsource::LogSourceExtractor;
pub use matcher::CompiledMatcher;
pub use matcher::MatchDescriptor;
pub use pipeline::Pipeline;
pub use pipeline::TransformationItem;
pub use pipeline::apply_pipelines;
pub use pipeline::apply_pipelines_with_state;
pub use pipeline::builtin::builtin_names as builtin_pipeline_names;
pub use pipeline::builtin::resolve_builtin as resolve_builtin_pipeline;
pub use pipeline::merge_pipelines;
pub use pipeline::parse_pipeline;
pub use pipeline::parse_pipeline_file;
pub use pipeline::parse_sources_dir;
pub use pipeline::parse_sources_file;
pub use pipeline::parse_transformation_items;
pub use pipeline::validate_source_refs;
pub use result::CorrelationBody;
pub use result::DetectionBody;
pub use result::EvaluationResult;
pub use result::FieldMatch;
pub use result::MatchDetailLevel;
pub use result::MatcherKind;
pub use result::ProcessResultExt;
pub use result::ResultBody;
pub use result::RuleHeader;
pub use router::RouteOutcome;
pub use router::RouteResult;
pub use router::SchemaRouter;
pub use schema::FieldValueConfig;
pub use schema::OnUnknown;
pub use schema::RouteDecision;
pub use schema::RoutingConfig;
pub use schema::RoutingPlan;
pub use schema::SchemaBinding;
pub use schema::SchemaClassifier;
pub use schema::SchemaCountEntry;
pub use schema::SchemaError;
pub use schema::SchemaMatch;
pub use schema::SchemaObservation;
pub use schema::SchemaObserver;
pub use schema::SchemaPredicate;
pub use schema::SchemaPredicateConfig;
pub use schema::SchemaSignature;
pub use schema::SchemaSignatureConfig;
pub use schema::SchemaSignaturesFile;
pub use schema::builtin_schema_names;
pub use schema::load_schema_config;
pub use schema::load_schema_signatures;
pub use schema::parse_schema_config;
pub use schema::parse_schema_signatures;

Modules§

compiler
Compile parsed Sigma rules into optimized in-memory representations.
correlation
Compiled correlation types, group key, window state, and compilation.
correlation_engine
Stateful correlation engine with time-windowed aggregation.
engine
Rule evaluation engine with logsource routing.
error
Evaluation-specific error types.
event
Event abstraction for Sigma rule evaluation.
explain
Data-aware “explain” trace for a single rule against a single event.
field_observer
Opt-in observer that records every field name seen at evaluation time so consumers can report which event fields are not referenced by any loaded rule (gap signal) and which rule fields have never been seen in events (broken-coverage signal).
fields
Rule-field extraction shared between rsigma rule fields and the daemon’s field-observability endpoints.
logsource
Event logsource extraction for opt-in, conflict-based logsource pruning.
matcher
Compiled matchers for zero-allocation hot-path evaluation.
pipeline
Processing pipeline system for transforming Sigma rules before evaluation.
result
Unified result type for rule evaluation and correlation.
router
Multi-engine schema router: classify each event, route it to the detection engine built for its schema’s pipeline-set, and feed every detection into one shared correlation store.
rule_index
Inverted index for rule pre-filtering.
schema
Schema classification: recognize the structure of a parsed event.