sigma_rust/
error.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
#[derive(Debug, thiserror::Error)]
pub enum ParserError {
    #[error("The field modifiers '{0}' and '{1}' are conflicting")]
    ConflictingModifiers(String, String),

    #[error("Unknown field modifier '{0}' provided")]
    UnknownModifier(String),

    #[error("UTF16 encoding requested but no value transformation modifier provided (base64 or base64offset)"
    )]
    Utf16WithoutBase64,

    #[error(
        "The modifier '{0}' is ambiguous and therefore unsupported; use utf16le or utf16be instead"
    )]
    AmbiguousUtf16Modifier(String),

    #[error("No values provided for field '{0}'")]
    EmptyValues(String),

    #[error("Failed to parse regular expression: '{0}'")]
    RegexParsing(regex::Error),

    #[error(
        "The modifier '{0}' must not be combined with other modifiers except 'all' and 'fieldref'"
    )]
    StandaloneViolation(String),

    #[error("The 'exists' modifier must not be combined with any other modifiers")]
    ExistsNotStandalone(),

    #[error("The 'exists' modifier requires a single boolean value")]
    InvalidValueForExists(),

    #[error("Failed to parse IP address '{0}': '{1}'")]
    IPParsing(String, String),

    #[error("Provided YAML is not a valid field representation: '{0}'")]
    InvalidYAML(String),

    #[error("Missing closing parenthesis in condition")]
    MissingClosingParenthesis(),

    #[error("Encountered unexpected token '{0}' in condition")]
    UnexpectedToken(String),

    #[error("Encountered invalid operator '{0}' in condition")]
    InvalidOperator(String),

    #[error("Condition references undefined identifiers: '{0:?}'")]
    UndefinedIdentifiers(Vec<String>),

    #[error("Selection '{0}' has an error: '{1}'")]
    SelectionParsingError(String, SelectionError),

    #[error("Field names must be string, got: '{0}'")]
    InvalidFieldName(String),

    #[error("The modifiers contains, startswith and endswith must be used with string values, got: '{0}'"
    )]
    InvalidValueForStringModifier(String),
}

#[derive(Debug, thiserror::Error)]
pub enum SelectionError {
    #[error("Selection without fields detected")]
    SelectionContainsNoFields(),

    #[error("Mixing keyword selection and field lists is not supported")]
    MixedKeywordAndFieldlist(),

    #[error("Selection has invalid type; it must be a list or dictionary")]
    InvalidSelectionType(),

    #[error("Invalid keyword selection, keywords must be string, number or boolean, got: '{0}'")]
    InvalidKeywordSelection(String),
}

#[cfg(feature = "serde_json")]
#[derive(Debug, thiserror::Error)]
pub enum JSONError {
    #[error("{0} is not a valid field value")]
    InvalidFieldValue(String),

    #[error("Events must be plain key value mappings")]
    InvalidEvent(),
}