Expand description
§rsigma-eval
Evaluator for Sigma detection and correlation rules.
This crate consumes the AST produced by rsigma_parser and evaluates it
against events in real time using a compile-then-evaluate model.
§Architecture
- Detection rules (stateless): compiled once into optimized matchers, each event is matched with zero allocation on the hot path.
- Correlation rules (stateful): time-windowed aggregation over detection
matches, supporting
event_count,value_count,temporal,temporal_ordered,value_sum,value_avg,value_percentile, andvalue_median.
§Quick Start — Detection Only
use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::{Engine, Event};
use serde_json::json;
let yaml = r#"
title: Detect Whoami
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: 'whoami'
condition: selection
level: medium
"#;
let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = Engine::new();
engine.add_collection(&collection).unwrap();
let event_val = json!({"CommandLine": "cmd /c whoami"});
let event = Event::from_value(&event_val);
let matches = engine.evaluate(&event);
assert_eq!(matches.len(), 1);§Quick Start — With Correlations
use rsigma_parser::parse_sigma_yaml;
use rsigma_eval::{CorrelationEngine, CorrelationConfig, Event};
use serde_json::json;
let yaml = r#"
title: Login
id: login-rule
logsource:
category: auth
detection:
selection:
EventType: login
condition: selection
---
title: Many Logins
correlation:
type: event_count
rules:
- login-rule
group-by:
- User
timespan: 60s
condition:
gte: 3
level: high
"#;
let collection = parse_sigma_yaml(yaml).unwrap();
let mut engine = CorrelationEngine::new(CorrelationConfig::default());
engine.add_collection(&collection).unwrap();
for i in 0..3 {
let v = json!({"EventType": "login", "User": "admin"});
let event = Event::from_value(&v);
let result = engine.process_event_at(&event, 1000 + i);
if i == 2 {
assert_eq!(result.correlations.len(), 1);
}
}Re-exports§
pub use compiler::CompiledDetection;pub use compiler::CompiledDetectionItem;pub use compiler::CompiledRule;pub use compiler::compile_rule;pub use compiler::evaluate_rule;pub use correlation::CompiledCondition;pub use correlation::CompiledCorrelation;pub use correlation::EventBuffer;pub use correlation::EventRef;pub use correlation::EventRefBuffer;pub use correlation::GroupByField;pub use correlation::GroupKey;pub use correlation::WindowState;pub use correlation_engine::CorrelationAction;pub use correlation_engine::CorrelationConfig;pub use correlation_engine::CorrelationEngine;pub use correlation_engine::CorrelationEventMode;pub use correlation_engine::CorrelationResult;pub use correlation_engine::ProcessResult;pub use correlation_engine::TimestampFallback;pub use engine::Engine;pub use error::EvalError;pub use error::Result;pub use event::Event;pub use matcher::CompiledMatcher;pub use pipeline::Pipeline;pub use pipeline::apply_pipelines;pub use pipeline::merge_pipelines;pub use pipeline::parse_pipeline;pub use pipeline::parse_pipeline_file;pub use result::FieldMatch;pub use result::MatchResult;
Modules§
- compiler
- Compile parsed Sigma rules into optimized in-memory representations.
- correlation
- Compiled correlation types, group key, window state, and compilation.
- correlation_
engine - Stateful correlation engine with time-windowed aggregation.
- engine
- Rule evaluation engine with logsource routing.
- error
- Evaluation-specific error types.
- event
- Event wrapper with dot-notation field access.
- matcher
- Compiled matchers for zero-allocation hot-path evaluation.
- pipeline
- Processing pipeline system for transforming Sigma rules before evaluation.
- result
- Match result types for rule evaluation.