search

bradleyjkemp / sigma-go

A Go implementation and parser for Sigma rules.
MIT License
84 stars 18 forks source link

Sigma filters #44

Open myoung34 opened 3 months ago

myoung34 commented 3 months ago

Any plans to implement sigma filters ?

bradleyjkemp commented 2 months ago

Interesting, I missed the announcement of these.

My initial thoughts are this:

  1. We add support for parsing these into the sigma.Rule struct (add a new filter field)
  2. Add a WithFilters option to the evaluator which takes a filter/filters. Then when calling Matches() on the evaluator, this filter will automatically be run before the rule

I don't have any immediate need for these, so don't have any plans to implement them in the short-term, but I think this library should support them in future. Definitely open to PRs (though some more design/exploration would be a good first step)