Skip to main content

rsigma_parser/
error.rs

1use std::fmt;
2
3use thiserror::Error;
4
5/// Source location within a Sigma document.
6///
7/// Attached to parse errors when position information is available
8/// (e.g. from pest parse failures). Line and column are 1-indexed.
9#[derive(Debug, Clone, Copy, PartialEq, Eq)]
10pub struct SourceLocation {
11    pub line: u32,
12    pub col: u32,
13}
14
15impl fmt::Display for SourceLocation {
16    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
17        write!(f, "{}:{}", self.line, self.col)
18    }
19}
20
21/// Errors that can occur during Sigma rule parsing.
22#[derive(Debug, Error)]
23#[non_exhaustive]
24pub enum SigmaParserError {
25    #[error("YAML parsing error: {0}")]
26    Yaml(#[from] yaml_serde::Error),
27
28    #[error("{}", format_with_location(.0, .1))]
29    Condition(String, Option<SourceLocation>),
30
31    #[error("Unknown modifier '{0}'")]
32    UnknownModifier(String),
33
34    /// Reserved when a user writes `field|not: value` or
35    /// `field|contains|not: value` as if `not` were a value modifier.
36    /// Sigma does not support a `|not` modifier; negation is expressed at
37    /// the condition level (`not selection` or `selection and not filter`).
38    #[error(
39        "`not` is not a value modifier in Sigma; express negation in the \
40         condition (e.g. `not selection`) or move the inverted check into a \
41         separate detection used as a filter (e.g. `selection and not other`)"
42    )]
43    NotIsNotAModifier,
44
45    #[error("Invalid field specification: {0}")]
46    InvalidFieldSpec(String),
47
48    #[error("Invalid rule: {0}")]
49    InvalidRule(String),
50
51    #[error("Missing required field '{0}'")]
52    MissingField(String),
53
54    #[error("Invalid detection: {0}")]
55    InvalidDetection(String),
56
57    #[error("Invalid correlation rule: {0}")]
58    InvalidCorrelation(String),
59
60    #[error("Invalid timespan '{0}'")]
61    InvalidTimespan(String),
62
63    #[error("Invalid value: {0}")]
64    InvalidValue(String),
65
66    #[error("Invalid collection action '{0}'")]
67    InvalidAction(String),
68
69    #[error("IO error: {0}")]
70    Io(#[from] std::io::Error),
71
72    #[error("YAML merge exceeds maximum depth ({0})")]
73    MergeTooDeep(usize),
74
75    #[error("Condition string too long ({0} bytes, max {1})")]
76    ConditionTooLong(usize, usize),
77}
78
79impl SigmaParserError {
80    /// Returns the source location if this error variant carries one.
81    pub fn location(&self) -> Option<SourceLocation> {
82        match self {
83            SigmaParserError::Condition(_, loc) => *loc,
84            _ => None,
85        }
86    }
87}
88
89fn format_with_location(msg: &str, loc: &Option<SourceLocation>) -> String {
90    match loc {
91        Some(loc) => format!("Condition parse error at {loc}: {msg}"),
92        None => format!("Condition parse error: {msg}"),
93    }
94}
95
96pub type Result<T> = std::result::Result<T, SigmaParserError>;