Add Sigma rule compatibility #4
Description
Description
Sigma is the open standard for log detection rules with 4000+ community rules. Adding Sigma compatibility would make LogReaper significantly more powerful and tap into an existing ecosystem.
Why This Matters
- Sigma has ~8k GitHub stars and a massive rule library
- Users wouldn't need to maintain custom regex patterns — just point LogReaper at Sigma rules
- Positions LogReaper as a lightweight Sigma evaluator for Linux CLI (like Chainsaw is for Windows)
- Community can contribute Sigma rules without touching C code
Proposed Approach
Phase 1: Basic YAML Parsing
- Parse Sigma YAML rule files (detection field with keywords/patterns)
- Convert Sigma
contains,startswith,endswithmodifiers to regex - Support
logreaper --sigma-rules /path/to/rules/ logfile
Phase 2: Full Sigma Support
- AND/OR logic in detection conditions
- Field mapping for common Linux log sources
- Sigma rule severity → LogReaper severity mapping
Resources
- Sigma specification
- Sigma rules repo
- pySigma — reference implementation
Acceptance Criteria
- LogReaper can load and evaluate basic Sigma rules
- Works with at least 10 rules from the official SigmaHQ repo
- No Python/external runtime dependency — pure C implementation
- Documented in README with usage examples