Skip to main content

Module compiler

Module compiler 

Source
Expand description

Compile parsed Sigma rules into optimized in-memory representations.

The compiler transforms the parser AST (SigmaRule, Detection, DetectionItem) into compiled forms (CompiledRule, CompiledDetection, CompiledDetectionItem) that can be evaluated efficiently against events.

Modifier interpretation happens here: the compiler reads the Vec<Modifier> from each FieldSpec and produces the appropriate CompiledMatcher variant.

Structs§

CompiledDetectionItem
A compiled detection item: a field + matcher.
CompiledRule
A compiled Sigma rule, ready for evaluation.

Enums§

CompiledDetection
A compiled detection definition.

Functions§

compile_detection
Compile a parsed detection tree into a CompiledDetection.
compile_rule
Compile a parsed SigmaRule into a CompiledRule.
eval_condition
Evaluate a condition expression against the event using compiled detections.
evaluate_rule
Evaluate a compiled rule against an event, returning an EvaluationResult if it matches.