search

markuskont / go-sigma-rule-engine

Golang library that implements a sigma log rule parser and match engine.
Apache License 2.0
88 stars 17 forks source link

support for embed FS as rule directory #15

Open mosajjal opened 2 years ago

mosajjal commented 2 years ago

Hi,

I was playing around with the detection engine and it works well. However, it's not easy to use something like embed.FS to include the rules inside the go binary. For example, in the following code:

    RuleSet, err = sigma.NewRuleset(sigma.Config{
        Directory: []string{"./rules"},
    })

the Directory variable has to be a string and it's not an abstracted interface hence there's no way to easily include the rules directory inside the binary. Is this something you're keen to add? I can take a look at how it can be done and send a PR if interested :)

Cheers,

markuskont commented 2 years ago

Hey, I think it's a great idea. Most of the constructors were built before embed.FS existed, thus lack of support.

Just a heads up though, you can do experiments against https://github.com/markuskont/go-sigma-rule-engine/tree/next-0.3-reorg-2022-04

I will merge it soon, within the week I guess, and it reorganizes the entire project layout. So just to avoid rebase hassles later.

markuskont commented 2 years ago

Linking https://github.com/markuskont/go-sigma-rule-engine/issues/8