Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Litch1-v/sigma-rs
sigma rule rust parser
https://github.com/Litch1-v/sigma-rs
Last synced: 5 days ago
JSON representation
sigma rule rust parser
- Host: GitHub
- URL: https://github.com/Litch1-v/sigma-rs
- Owner: Litch1-v
- Created: 2024-03-18T09:45:58.000Z (8 months ago)
- Default Branch: main
- Last Pushed: 2024-03-18T13:57:55.000Z (8 months ago)
- Last Synced: 2024-10-12T17:39:29.549Z (29 days ago)
- Language: Rust
- Homepage:
- Size: 12.7 KB
- Stars: 4
- Watchers: 1
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# sigma-rs
A Rust implementation and parser of [Sigma rules](https://github.com/SigmaHQ/sigma). Useful for building your own detection pipelines.
## Features
- support complex condition like ```(not test*) and ((1 of test1) or (all of test))```
- regex build cache
## Usage
```rust
fn main() {
let rule = r#"title: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE#;
let json = r#"{
"Image": "C:\\Windows\\system32\\certutil.exe",
"ParentImage": "C:\\WINDOWS\\system32\\cmd.exe",
"ProcessId": "10952",
"utc_time": "2023-03-20 17:31:23",
"ServerScore": "0",
"CommandLine": "certutil -urlcache \"-split\" \"-f\" \"http://transfer.sh/artifact.exe test.exe\"",
"ParentCommandLine": "\"C:\\WINDOWS\\system32\\cmd.exe\"",
"OriginalFile": "CertUtil.exe.mui",
"log_type": "ProcessCreate"
}"#;
println!("{}", evaluate_sigma(parse_sigma(rule.to_string()), &source));
}
```
## Reference
- [sigma-go](https://github.com/bradleyjkemp/sigma-go)
- [chainsaw](https://github.com/WithSecureLabs/chainsaw)