2 releases
new 0.1.1 | Nov 7, 2024 |
---|---|
0.1.0 | Nov 7, 2024 |
#400 in Data structures
42KB
1K
SLoC
Sigmars
Sigmars is a Rust library for working with Sigma rules, which are used for describing log events in a generic format. This library provides functionality for parsing, evaluating, and managing Sigma rules.
Features
- Evaluates Sigma rules against serde_json::Value
- Manage collections of Sigma rules (similar to pySigma)
- supports all Sigma 2.0 condition modifiers including fieldref
- supports the full Sigma condition syntax as a pest Pratt grammar
Usage
use sigmars::Detection;
use serde_json::json;
use serde_yml::from_str;
fn main() {
let detection_rule = r#"
selection:
foo: bar
condition: selection
"#;
let detection = Detection::new(&from_str::<serde_yml::Value>(detection_rule).unwrap()).unwrap();
let log = json!({
"foo": "bar"
});
assert_eq!(detection.eval(&log), true);
}
or to load a full collection:
use sigmars::{Collection, Event, Rule};
use serde_json::json;
fn main() {
let mut collection = Collection::default();
collection::load_ruleset("/path/to/detections").unwrap();
let log = json!({
"foo": "bar"
});
// evaluate all rules against a json value
let all_matches: Vec<&Rule> = collection.eval_json(log);
...
// or only evaluate rules that match a logsource
let metadata = HashMap::from([
("logsource".to_string(), json!({"product": "aws", "service": "cloudtrail"}))
]);
let log = json!({
"eventVersion" : "1.08",
"eventCategory" : "Management",
"etc": "..."
});
let event = Event::new(log, metadata);
let filtered_matches = collection.eval(event);
...
}
License
This project is licensed under the MIT License. See the LICENSE file for details.
Contributing
Contributions are welcome! Please open an issue or submit a pull request.
References
Dependencies
~10MB
~195K SLoC