Expand description
§rsigma-parser
A comprehensive parser for Sigma detection rules, correlations, and filters.
This crate parses Sigma YAML files into a strongly-typed AST, handling:
- Detection rules: field matching, wildcards, boolean conditions, field modifiers
- Condition expressions:
and,or,not,1 of,all of, parenthesized groups - Correlation rules:
event_count,value_count,temporal, aggregations - Filter rules: additional conditions applied to referenced rules
- Rule collections: multi-document YAML,
action: global/reset/repeat - Value types: strings with wildcards, numbers, booleans, null, regex, CIDR
- All 30+ field modifiers:
contains,endswith,startswith,re,cidr,base64,base64offset,wide,windash,all,cased,exists,fieldref, comparison operators, regex flags, timestamp parts, and more
§Architecture
- PEG grammar (
pest) for condition expression parsing with correct operator precedence (NOT>AND>OR) and Pratt parsing - serde_yaml for YAML structure deserialization
- Custom parsing for field modifiers, wildcard strings, and timespan values
§Quick Start
use rsigma_parser::parse_sigma_yaml;
let yaml = r#"
title: Detect Whoami
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains: 'whoami'
condition: selection
level: medium
"#;
let collection = parse_sigma_yaml(yaml).unwrap();
assert_eq!(collection.rules.len(), 1);
assert_eq!(collection.rules[0].title, "Detect Whoami");§Parsing condition expressions
use rsigma_parser::parse_condition;
let expr = parse_condition("selection_main and 1 of selection_dword_* and not 1 of filter_*").unwrap();
println!("{expr}");Re-exports§
pub use ast::ConditionExpr;pub use ast::ConditionOperator;pub use ast::CorrelationCondition;pub use ast::CorrelationRule;pub use ast::CorrelationType;pub use ast::Detection;pub use ast::DetectionItem;pub use ast::Detections;pub use ast::FieldAlias;pub use ast::FieldSpec;pub use ast::FilterRule;pub use ast::Level;pub use ast::LogSource;pub use ast::Modifier;pub use ast::Quantifier;pub use ast::Related;pub use ast::RelationType;pub use ast::SelectorPattern;pub use ast::SigmaCollection;pub use ast::SigmaDocument;pub use ast::SigmaRule;pub use ast::Status;pub use condition::parse_condition;pub use error::Result;pub use error::SigmaParserError;pub use error::SourceLocation;pub use lint::FileLintResult;pub use lint::Fix;pub use lint::FixDisposition;pub use lint::FixPatch;pub use lint::InlineSuppressions;pub use lint::LintConfig;pub use lint::LintRule;pub use lint::LintWarning;pub use lint::Severity;pub use lint::Span;pub use lint::apply_suppressions;pub use lint::lint_yaml_directory;pub use lint::lint_yaml_directory_with_config;pub use lint::lint_yaml_file;pub use lint::lint_yaml_file_with_config;pub use lint::lint_yaml_str;pub use lint::lint_yaml_str_with_config;pub use lint::lint_yaml_value;pub use lint::parse_inline_suppressions;pub use parser::parse_field_spec;pub use parser::parse_sigma_directory;pub use parser::parse_sigma_file;pub use parser::parse_sigma_yaml;pub use value::SigmaString;pub use value::SigmaValue;pub use value::SpecialChar;pub use value::StringPart;pub use value::Timespan;
Modules§
- ast
- AST types for all Sigma constructs: rules, detections, conditions, correlations, and filters.
- condition
- Condition expression parser using pest PEG grammar + Pratt parser.
- error
- lint
- Built-in linter for Sigma rules, correlations, and filters.
- parser
- Main YAML → AST parser for Sigma rules, correlations, filters, and collections.
- value