Skip to main content

Crate rsigma_eval

Crate rsigma_eval 

Source
Expand description

§rsigma-eval

Evaluator for Sigma detection and correlation rules.

This crate consumes the AST produced by rsigma_parser and evaluates it against events in real time using a compile-then-evaluate model.

§Architecture

  • Detection rules (stateless): compiled once into optimized matchers, each event is matched with zero allocation on the hot path.
  • Correlation rules (stateful): time-windowed aggregation over detection matches, supporting event_count, value_count, temporal, temporal_ordered, value_sum, value_avg, value_percentile, and value_median.

§Quick Start — Detection Only

use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::Engine;
use rsigma_eval::event::JsonEvent;
use serde_json::json;

let yaml = r#"
title: Detect Whoami
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: 'whoami'
    condition: selection
level: medium
"#;

let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = Engine::new();
engine.add_collection(&collection).unwrap();

let event_val = json!({"CommandLine": "cmd /c whoami"});
let event = JsonEvent::borrow(&event_val);
let matches = engine.evaluate(&event);
assert_eq!(matches.len(), 1);

§Quick Start — With Correlations

use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::{CorrelationEngine, CorrelationConfig};
use rsigma_eval::event::JsonEvent;
use serde_json::json;

let yaml = r#"
title: Login
id: login-rule
logsource:
    category: auth
detection:
    selection:
        EventType: login
    condition: selection
---
title: Many Logins
correlation:
    type: event_count
    rules:
        - login-rule
    group-by:
        - User
    timespan: 60s
    condition:
        gte: 3
level: high
"#;

let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = CorrelationEngine::new(CorrelationConfig::default());
engine.add_collection(&collection).unwrap();

for i in 0..3 {
    let v = json!({"EventType": "login", "User": "admin"});
    let event = JsonEvent::borrow(&v);
    let result = engine.process_event_at(&event, 1000 + i);
    if i == 2 {
        let correlations = result.iter().filter(|r| r.is_correlation()).count();
        assert_eq!(correlations, 1);
    }
}

Re-exports§

pub use compiler::CompiledDetection;
pub use compiler::CompiledDetectionItem;
pub use compiler::CompiledRule;
pub use compiler::compile_rule;
pub use compiler::evaluate_rule;
pub use correlation::CompiledCondition;
pub use correlation::CompiledCorrelation;
pub use correlation::EventBuffer;
pub use correlation::EventRef;
pub use correlation::EventRefBuffer;
pub use correlation::GroupByField;
pub use correlation::GroupKey;
pub use correlation::WindowState;
pub use correlation_engine::CorrelationAction;
pub use correlation_engine::CorrelationConfig;
pub use correlation_engine::CorrelationEngine;
pub use correlation_engine::CorrelationEventMode;
pub use correlation_engine::CorrelationSnapshot;
pub use correlation_engine::ProcessResult;
pub use correlation_engine::TimestampFallback;
pub use engine::Engine;
pub use error::EvalError;
pub use error::Result;
pub use event::Event;
pub use event::EventValue;
pub use event::JsonEvent;
pub use event::KvEvent;
pub use event::MapEvent;
pub use event::PlainEvent;
pub use field_observer::FieldCoverage;
pub use field_observer::FieldObservation;
pub use field_observer::FieldObservationEntry;
pub use field_observer::FieldObserver;
pub use fields::FieldOrigin;
pub use fields::FieldSource;
pub use fields::RuleFieldSet;
pub use matcher::CompiledMatcher;
pub use pipeline::Pipeline;
pub use pipeline::TransformationItem;
pub use pipeline::apply_pipelines;
pub use pipeline::apply_pipelines_with_state;
pub use pipeline::builtin::builtin_names as builtin_pipeline_names;
pub use pipeline::builtin::resolve_builtin as resolve_builtin_pipeline;
pub use pipeline::merge_pipelines;
pub use pipeline::parse_pipeline;
pub use pipeline::parse_pipeline_file;
pub use pipeline::parse_sources_dir;
pub use pipeline::parse_sources_file;
pub use pipeline::parse_transformation_items;
pub use pipeline::validate_source_refs;
pub use result::CorrelationBody;
pub use result::DetectionBody;
pub use result::EvaluationResult;
pub use result::FieldMatch;
pub use result::ProcessResultExt;
pub use result::ResultBody;
pub use result::RuleHeader;

Modules§

compiler
Compile parsed Sigma rules into optimized in-memory representations.
correlation
Compiled correlation types, group key, window state, and compilation.
correlation_engine
Stateful correlation engine with time-windowed aggregation.
engine
Rule evaluation engine with logsource routing.
error
Evaluation-specific error types.
event
Event abstraction for Sigma rule evaluation.
field_observer
Opt-in observer that records every field name seen at evaluation time so consumers can report which event fields are not referenced by any loaded rule (gap signal) and which rule fields have never been seen in events (broken-coverage signal).
fields
Rule-field extraction shared between rsigma rule fields and the daemon’s field-observability endpoints.
matcher
Compiled matchers for zero-allocation hot-path evaluation.
pipeline
Processing pipeline system for transforming Sigma rules before evaluation.
result
Unified result type for rule evaluation and correlation.
rule_index
Inverted index for rule pre-filtering.