Expand description
Compile parsed Sigma rules into optimized in-memory representations.
The compiler transforms the parser AST (SigmaRule, Detection,
DetectionItem) into compiled forms (CompiledRule, CompiledDetection,
CompiledDetectionItem) that can be evaluated efficiently against events.
Modifier interpretation happens here: the compiler reads the Vec<Modifier>
from each FieldSpec and produces the appropriate CompiledMatcher variant.
Structs§
- Compiled
Detection Item - A compiled detection item: a field + matcher.
- Compiled
Rule - A compiled Sigma rule, ready for evaluation.
Enums§
- Compiled
Detection - A compiled detection definition.
Functions§
- compile_
detection - Compile a parsed detection tree into a
CompiledDetection. - compile_
rule - Compile a parsed
SigmaRuleinto aCompiledRule. - eval_
condition - Evaluate a condition expression against the event using compiled detections.
- evaluate_
rule - Evaluate a compiled rule against an event, returning an
EvaluationResultif it matches.