README.md refers to a sigmac tool but this had been removed.

[scudette]

Maybe just a documentation issue? or was the tool removed elsewhere?

[bradleyjkemp]

Ah, yes this was removed: https://github.com/bradleyjkemp/sigma-go/commit/f14b31fc744279734c0b9323aa8ce6d52490773c

The tool read in a directory of Sigma rules, parsed them, and wrote out a file containing the equivalent Go literals. This seemed like a bad pattern for negligible performance benefit (Vs just parsing rules in an init function). In particular it introduces the edge case where a rule can be parsed with one version of sigma-go but evaluated using another

Interested to hear your use case though?

[scudette]

I just wanted to test this library against some sigma rules to see if the parser was able to handle them.

Ideally I wanted to verify that the ast was built correctly and maybe have some quick test of the filtering/detection but this repo has no main modules so it seemed like I would need to write something to get started even evaluating the project.

It would be super helpful to have some toy examples in an examples directory just to help people get started.

[bradleyjkemp]

Good point. I believe this library correctly parses almost all the rules in the SigmaHQ repo, but it's not actually something that's tested

sigma-test might be a quick way to check parsing your rules (as it uses this library for evaluating rules). It follows the general pattern:

1. Read relevant .yml files
2. Pass the contents to ParseRule or ParseConfig
3. Create an evaluator from a rule plus a config

See also this benchmark/test harness https://github.com/bradleyjkemp/sigma-go/blob/890dbfeea12cce09cdb74c366a968bc54764897e/evaluator/benchmarks_test.go#L87