Skip to main content

Crate rsigma_parser

Crate rsigma_parser 

Source
Expand description

§rsigma-parser

A comprehensive parser for Sigma detection rules, correlations, and filters.

This crate parses Sigma YAML files into a strongly-typed AST, handling:

  • Detection rules: field matching, wildcards, boolean conditions, field modifiers
  • Condition expressions: and, or, not, 1 of, all of, parenthesized groups
  • Correlation rules: event_count, value_count, temporal, aggregations
  • Filter rules: additional conditions applied to referenced rules
  • Rule collections: multi-document YAML, action: global/reset/repeat
  • Value types: strings with wildcards, numbers, booleans, null, regex, CIDR
  • All 30+ field modifiers: contains, endswith, startswith, re, cidr, base64, base64offset, wide, windash, all, cased, exists, fieldref, comparison operators, regex flags, timestamp parts, and more

§Architecture

  • PEG grammar (pest) for condition expression parsing with correct operator precedence (NOT > AND > OR) and Pratt parsing
  • serde_yaml for YAML structure deserialization
  • Custom parsing for field modifiers, wildcard strings, and timespan values

§Quick Start

use rsigma_parser::parse_sigma_yaml;

let yaml = r#"
title: Detect Whoami
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        CommandLine|contains: 'whoami'
    condition: selection
level: medium
"#;

let collection = parse_sigma_yaml(yaml).unwrap();
assert_eq!(collection.rules.len(), 1);
assert_eq!(collection.rules[0].title, "Detect Whoami");

§Parsing condition expressions

use rsigma_parser::parse_condition;

let expr = parse_condition("selection_main and 1 of selection_dword_* and not 1 of filter_*").unwrap();
println!("{expr}");

Re-exports§

pub use ast::ConditionExpr;
pub use ast::ConditionOperator;
pub use ast::CorrelationCondition;
pub use ast::CorrelationRule;
pub use ast::CorrelationType;
pub use ast::Detection;
pub use ast::DetectionItem;
pub use ast::Detections;
pub use ast::FieldAlias;
pub use ast::FieldSpec;
pub use ast::FilterRule;
pub use ast::Level;
pub use ast::LogSource;
pub use ast::Modifier;
pub use ast::Quantifier;
pub use ast::Related;
pub use ast::RelationType;
pub use ast::SelectorPattern;
pub use ast::SigmaCollection;
pub use ast::SigmaDocument;
pub use ast::SigmaRule;
pub use ast::Status;
pub use condition::parse_condition;
pub use error::Result;
pub use error::SigmaParserError;
pub use lint::FileLintResult;
pub use lint::InlineSuppressions;
pub use lint::LintConfig;
pub use lint::LintRule;
pub use lint::LintWarning;
pub use lint::Severity;
pub use lint::Span;
pub use lint::apply_suppressions;
pub use lint::lint_yaml_directory;
pub use lint::lint_yaml_directory_with_config;
pub use lint::lint_yaml_file;
pub use lint::lint_yaml_file_with_config;
pub use lint::lint_yaml_str;
pub use lint::lint_yaml_str_with_config;
pub use lint::lint_yaml_value;
pub use lint::parse_inline_suppressions;
pub use parser::parse_field_spec;
pub use parser::parse_sigma_directory;
pub use parser::parse_sigma_file;
pub use parser::parse_sigma_yaml;
pub use value::SigmaString;
pub use value::SigmaValue;
pub use value::SpecialChar;
pub use value::StringPart;
pub use value::Timespan;

Modules§

ast
AST types for all Sigma constructs: rules, detections, conditions, correlations, and filters.
condition
Condition expression parser using pest PEG grammar + Pratt parser.
error
lint
Built-in linter for Sigma rules, correlations, and filters.
parser
Main YAML → AST parser for Sigma rules, correlations, filters, and collections.
value