@panguard-ai/core 0.1.0

package/dist/rules/sigma-matcher.js

@@ -0,0 +1,447 @@
+/**
+ * Sigma rule event matcher
+ * Sigma 規則事件比對器
+ *
+ * Matches SecurityEvent instances against Sigma rules by evaluating
+ * detection selections and condition expressions.
+ * Supports wildcards (*), the |contains modifier, and simple AND/OR/NOT logic.
+ * 將 SecurityEvent 實例與 Sigma 規則比對，透過評估偵測選擇項和條件表達式。
+ * 支援萬用字元（*）、|contains 修飾符，以及簡單的 AND/OR/NOT 邏輯。
+ *
+ * @module @panguard-ai/core/rules/sigma-matcher
+ */
+import { createLogger } from '../utils/logger.js';
+const logger = createLogger('sigma-matcher');
+/**
+ * Convert a Sigma wildcard pattern to a RegExp
+ * 將 Sigma 萬用字元模式轉換為正規表達式
+ *
+ * Sigma uses `*` as a wildcard matching zero or more characters.
+ * Sigma 使用 `*` 作為比對零個或多個字元的萬用字元。
+ *
+ * @param pattern - Sigma pattern string possibly containing `*` wildcards / 可能包含 `*` 萬用字元的 Sigma 模式字串
+ * @returns Compiled RegExp for the pattern / 模式的編譯正規表達式
+ */
+function wildcardToRegex(pattern) {
+    const escaped = pattern.replace(/[.+?^${}()|[\]\\]/g, '\\$&');
+    const withWildcards = escaped.replace(/\*/g, '.*');
+    return new RegExp(`^${withWildcards}$`, 'i');
+}
+/**
+ * Retrieve a field value from a SecurityEvent by name
+ * 依名稱從 SecurityEvent 取得欄位值
+ *
+ * Looks in the event's top-level properties first, then in metadata.
+ * 先在事件的頂層屬性中查找，然後在 metadata 中查找。
+ *
+ * @param event - The security event / 安全事件
+ * @param fieldName - Field name to look up / 要查找的欄位名稱
+ * @returns The field value as a string, or undefined if not found / 欄位值的字串，找不到則回傳 undefined
+ */
+function getEventFieldValue(event, fieldName) {
+    // Check top-level event properties first / 先檢查事件頂層屬性
+    const topLevelKeys = [
+        'id',
+        'source',
+        'severity',
+        'category',
+        'description',
+        'host',
+    ];
+    for (const key of topLevelKeys) {
+        if (key === fieldName) {
+            const val = event[key];
+            if (typeof val === 'string')
+                return val;
+            if (val instanceof Date)
+                return val.toISOString();
+            return String(val);
+        }
+    }
+    // Then check metadata / 然後檢查 metadata
+    const metaValue = event.metadata[fieldName];
+    if (metaValue === undefined || metaValue === null)
+        return undefined;
+    return String(metaValue);
+}
+/**
+ * Parse a field name and extract the base name and modifier
+ * 解析欄位名稱並擷取基礎名稱和修飾符
+ *
+ * Sigma field names can include modifiers like `|contains`, `|endswith`, `|startswith`.
+ * Sigma 欄位名稱可包含修飾符如 `|contains`、`|endswith`、`|startswith`。
+ *
+ * @param fieldName - Full field name possibly with modifier / 可能帶有修飾符的完整欄位名稱
+ * @returns Tuple of [baseName, modifier] / [基礎名稱, 修飾符] 的元組
+ */
+function parseFieldModifier(fieldName) {
+    const pipeIndex = fieldName.indexOf('|');
+    if (pipeIndex === -1)
+        return [fieldName, null];
+    return [fieldName.substring(0, pipeIndex), fieldName.substring(pipeIndex + 1)];
+}
+/**
+ * Check whether a single field value matches an expected value with modifier support
+ * 檢查單一欄位值是否與預期值比對（支援修飾符）
+ *
+ * @param actual - The actual event field value / 事件的實際欄位值
+ * @param expected - The expected value from the rule / 規則中的預期值
+ * @param modifier - Optional modifier (contains, endswith, startswith) / 可選修飾符
+ * @returns True if the value matches / 值比對時回傳 true
+ */
+function matchValue(actual, expected, modifier) {
+    const actualLower = actual.toLowerCase();
+    const expectedLower = expected.toLowerCase();
+    // Handle chained modifiers (e.g., "contains|all") — use first modifier
+    const primaryModifier = modifier?.split('|')[0] ?? null;
+    switch (primaryModifier) {
+        case 'contains':
+            return actualLower.includes(expectedLower);
+        case 'endswith':
+            return actualLower.endsWith(expectedLower);
+        case 'startswith':
+            return actualLower.startsWith(expectedLower);
+        case 're':
+            try {
+                return new RegExp(expected, 'i').test(actual);
+            }
+            catch {
+                logger.warn(`Invalid regex pattern: "${expected}" / 無效的正規表達式: "${expected}"`);
+                return false;
+            }
+        case 'base64':
+        case 'base64offset': {
+            // Check if the actual value contains the expected value in base64 form
+            try {
+                const decoded = Buffer.from(actual, 'base64').toString('utf-8');
+                return decoded.toLowerCase().includes(expectedLower);
+            }
+            catch {
+                return false;
+            }
+        }
+        case 'cidr': {
+            // Basic CIDR matching for IP addresses
+            return matchCIDR(actual, expected);
+        }
+        case 'gt':
+            return Number(actual) > Number(expected);
+        case 'gte':
+            return Number(actual) >= Number(expected);
+        case 'lt':
+            return Number(actual) < Number(expected);
+        case 'lte':
+            return Number(actual) <= Number(expected);
+        case 'utf8':
+        case 'wide':
+            // Encoding modifiers — perform basic string matching
+            return actualLower.includes(expectedLower);
+        default: {
+            // Default: exact match or wildcard match / 預設：精確比對或萬用字元比對
+            if (expected.includes('*')) {
+                return wildcardToRegex(expected).test(actual);
+            }
+            return actualLower === expectedLower;
+        }
+    }
+}
+/**
+ * Basic CIDR matching for IP addresses
+ * 基本的 CIDR IP 位址比對
+ */
+function matchCIDR(ip, cidr) {
+    const parts = cidr.split('/');
+    if (parts.length !== 2)
+        return ip === cidr;
+    const cidrIP = parts[0];
+    const prefixLen = parseInt(parts[1], 10);
+    if (isNaN(prefixLen))
+        return false;
+    const ipNum = ipToNumber(ip);
+    const cidrNum = ipToNumber(cidrIP);
+    if (ipNum === null || cidrNum === null)
+        return false;
+    const mask = prefixLen === 0 ? 0 : (~0 << (32 - prefixLen)) >>> 0;
+    return (ipNum & mask) === (cidrNum & mask);
+}
+function ipToNumber(ip) {
+    const parts = ip.split('.');
+    if (parts.length !== 4)
+        return null;
+    let num = 0;
+    for (const part of parts) {
+        const val = parseInt(part, 10);
+        if (isNaN(val) || val < 0 || val > 255)
+            return null;
+        num = (num << 8) | val;
+    }
+    return num >>> 0;
+}
+/**
+ * Evaluate a single detection selection against an event
+ * 評估單一偵測選擇項與事件的比對
+ *
+ * All fields in the selection must match (AND logic within a selection).
+ * For array values, any value matching counts as a match (OR logic for arrays).
+ * 選擇項中的所有欄位都必須比對（選擇項內為 AND 邏輯）。
+ * 對於陣列值，任一值比對即算比對成功（陣列為 OR 邏輯）。
+ *
+ * @param event - The security event to test / 要測試的安全事件
+ * @param selection - The selection fields and values / 選擇項欄位和值
+ * @returns Object with match result and list of matched field names / 比對結果和比對到的欄位名稱列表
+ */
+function evaluateSelection(event, selection) {
+    const matchedFields = [];
+    for (const [rawFieldName, expectedValues] of Object.entries(selection)) {
+        const [baseName, modifier] = parseFieldModifier(rawFieldName);
+        const actual = getEventFieldValue(event, baseName);
+        if (actual === undefined) {
+            return { matched: false, fields: [] };
+        }
+        const values = Array.isArray(expectedValues) ? expectedValues : [expectedValues];
+        const fieldMatched = values.some((expected) => matchValue(actual, expected, modifier));
+        if (!fieldMatched) {
+            return { matched: false, fields: [] };
+        }
+        matchedFields.push(baseName);
+    }
+    return { matched: true, fields: matchedFields };
+}
+/**
+ * Tokenize a condition expression into tokens
+ * 將條件表達式分詞為 token
+ *
+ * Splits the condition string into identifiers, operators (AND, OR, NOT),
+ * and parentheses.
+ * 將條件字串拆分為識別碼、運算子（AND、OR、NOT）和括號。
+ *
+ * @param condition - The condition string / 條件字串
+ * @returns Array of token strings / token 字串陣列
+ */
+function tokenize(condition) {
+    const tokens = [];
+    let current = '';
+    for (let i = 0; i < condition.length; i++) {
+        const ch = condition[i];
+        if (ch === '(' || ch === ')') {
+            if (current.trim())
+                tokens.push(current.trim());
+            tokens.push(ch);
+            current = '';
+        }
+        else if (ch === ' ' || ch === '\t') {
+            if (current.trim())
+                tokens.push(current.trim());
+            current = '';
+        }
+        else {
+            current += ch;
+        }
+    }
+    if (current.trim())
+        tokens.push(current.trim());
+    return tokens;
+}
+/**
+ * Resolve aggregation expressions like "1 of them", "all of them", "1 of selection*"
+ * 解析聚合表達式如 "1 of them"、"all of them"、"1 of selection*"
+ *
+ * Pre-processes the condition string to expand these into explicit OR/AND expressions.
+ *
+ * @param condition - The condition string / 條件字串
+ * @param selectionNames - Available selection names / 可用的選擇項名稱
+ * @returns Expanded condition string / 展開的條件字串
+ */
+function expandAggregations(condition, selectionNames) {
+    let result = condition;
+    // "all of them" → (sel1 AND sel2 AND ...)
+    result = result.replace(/\ball\s+of\s+them\b/gi, () => {
+        if (selectionNames.length === 0)
+            return 'false';
+        return '(' + selectionNames.join(' AND ') + ')';
+    });
+    // "1 of them" → (sel1 OR sel2 OR ...)
+    result = result.replace(/\b1\s+of\s+them\b/gi, () => {
+        if (selectionNames.length === 0)
+            return 'false';
+        return '(' + selectionNames.join(' OR ') + ')';
+    });
+    // "<N> of them" → at least N selections match (expand as OR of AND combos is complex,
+    // so we treat as "1 of them" for simplicity — covers most real-world rules)
+    result = result.replace(/\b\d+\s+of\s+them\b/gi, () => {
+        if (selectionNames.length === 0)
+            return 'false';
+        return '(' + selectionNames.join(' OR ') + ')';
+    });
+    // "all of <pattern>*" → AND of matching selections
+    result = result.replace(/\ball\s+of\s+(\w+)\*/gi, (_match, prefix) => {
+        const matching = selectionNames.filter((n) => n.startsWith(prefix));
+        if (matching.length === 0)
+            return 'false';
+        return '(' + matching.join(' AND ') + ')';
+    });
+    // "1 of <pattern>*" → OR of matching selections
+    result = result.replace(/\b1\s+of\s+(\w+)\*/gi, (_match, prefix) => {
+        const matching = selectionNames.filter((n) => n.startsWith(prefix));
+        if (matching.length === 0)
+            return 'false';
+        return '(' + matching.join(' OR ') + ')';
+    });
+    return result;
+}
+/**
+ * Evaluate a condition expression given selection results
+ * 根據選擇項結果評估條件表達式
+ *
+ * Supports AND/OR/NOT with parentheses, plus Sigma aggregation expressions:
+ * "1 of them", "all of them", "1 of selection*", "all of filter*"
+ * 支援 AND/OR/NOT 搭配括號，以及 Sigma 聚合表達式。
+ *
+ * @param condition - The condition expression / 條件表達式
+ * @param selectionResults - Map of selection name to match result / 選擇項名稱到比對結果的映射
+ * @returns True if the condition is satisfied / 條件滿足時回傳 true
+ */
+function evaluateCondition(condition, selectionResults) {
+    // Expand aggregation expressions / 展開聚合表達式
+    const selectionNames = Array.from(selectionResults.keys());
+    const expanded = expandAggregations(condition, selectionNames);
+    const tokens = tokenize(expanded);
+    // Simple case: single selection name / 簡單情況：單一選擇項名稱
+    if (tokens.length === 1) {
+        const name = tokens[0];
+        if (name === 'false')
+            return false;
+        if (name === 'true')
+            return true;
+        return selectionResults.get(name) ?? false;
+    }
+    // Recursive descent parser for AND/OR/NOT with parentheses
+    // 遞迴下降解析器，處理 AND/OR/NOT 和括號
+    let pos = 0;
+    function peek() {
+        return tokens[pos];
+    }
+    function consume() {
+        const tok = tokens[pos];
+        pos++;
+        return tok;
+    }
+    /**
+     * Parse primary: NOT, parenthesized expression, or selection name
+     * 解析主要項：NOT、括號表達式或選擇項名稱
+     */
+    function parsePrimary() {
+        const tok = peek();
+        if (tok === undefined)
+            return false;
+        if (tok.toUpperCase() === 'NOT') {
+            consume();
+            return !parsePrimary();
+        }
+        if (tok === '(') {
+            consume(); // consume '('
+            const result = parseOr();
+            if (peek() === ')')
+                consume(); // consume ')'
+            return result;
+        }
+        // It is a selection name / 是選擇項名稱
+        consume();
+        if (tok === 'false')
+            return false;
+        if (tok === 'true')
+            return true;
+        return selectionResults.get(tok) ?? false;
+    }
+    /**
+     * Parse AND expressions / 解析 AND 表達式
+     */
+    function parseAnd() {
+        let result = parsePrimary();
+        while (peek()?.toUpperCase() === 'AND') {
+            consume();
+            const right = parsePrimary();
+            result = result && right;
+        }
+        return result;
+    }
+    /**
+     * Parse OR expressions (lowest precedence) / 解析 OR 表達式（最低優先權）
+     */
+    function parseOr() {
+        let result = parseAnd();
+        while (peek()?.toUpperCase() === 'OR') {
+            consume();
+            const right = parseAnd();
+            result = result || right;
+        }
+        return result;
+    }
+    return parseOr();
+}
+/**
+ * Match a single security event against a single Sigma rule
+ * 比對單一安全事件與單一 Sigma 規則
+ *
+ * Evaluates all selections in the rule's detection block, then checks
+ * whether the condition expression is satisfied.
+ * 評估規則偵測區塊中的所有選擇項，然後檢查條件表達式是否滿足。
+ *
+ * @param event - The security event to test / 要測試的安全事件
+ * @param rule - The Sigma rule to match against / 要比對的 Sigma 規則
+ * @returns A RuleMatch if the event matches, or null / 事件比對時回傳 RuleMatch，否則回傳 null
+ */
+export function matchEvent(event, rule) {
+    const detection = rule.detection;
+    const selectionResults = new Map();
+    const allMatchedFields = [];
+    // Evaluate each selection in the detection block / 評估偵測區塊中的每個選擇項
+    for (const [key, value] of Object.entries(detection)) {
+        if (key === 'condition')
+            continue;
+        if (typeof value === 'string')
+            continue; // skip condition-like entries / 跳過條件類條目
+        const result = evaluateSelection(event, value);
+        selectionResults.set(key, result.matched);
+        if (result.matched) {
+            allMatchedFields.push(...result.fields);
+        }
+    }
+    // Evaluate the condition expression / 評估條件表達式
+    const conditionMet = evaluateCondition(detection.condition, selectionResults);
+    if (!conditionMet) {
+        return null;
+    }
+    // Deduplicate matched fields / 去重比對到的欄位
+    const uniqueFields = [...new Set(allMatchedFields)];
+    const match = {
+        rule,
+        event,
+        matchedFields: uniqueFields,
+        timestamp: new Date().toISOString(),
+    };
+    logger.info(`Event matched rule "${rule.title}" (${rule.id}) / 事件比對到規則 "${rule.title}" (${rule.id})`, { eventId: event.id, matchedFields: uniqueFields });
+    return match;
+}
+/**
+ * Match a single security event against multiple Sigma rules
+ * 比對單一安全事件與多個 Sigma 規則
+ *
+ * Tests the event against every rule and returns all matches.
+ * 將事件與每個規則測試並回傳所有比對結果。
+ *
+ * @param event - The security event to test / 要測試的安全事件
+ * @param rules - Array of Sigma rules to match against / 要比對的 Sigma 規則陣列
+ * @returns Array of RuleMatch for all matching rules / 所有比對規則的 RuleMatch 陣列
+ */
+export function matchEventAgainstRules(event, rules) {
+    const matches = [];
+    for (const rule of rules) {
+        const result = matchEvent(event, rule);
+        if (result !== null) {
+            matches.push(result);
+        }
+    }
+    return matches;
+}
+//# sourceMappingURL=sigma-matcher.js.map

package/dist/rules/sigma-matcher.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigma-matcher.js","sourceRoot":"","sources":["../../src/rules/sigma-matcher.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAIlD,MAAM,MAAM,GAAG,YAAY,CAAC,eAAe,CAAC,CAAC;AAE7C;;;;;;;;;GASG;AACH,SAAS,eAAe,CAAC,OAAe;IACtC,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC9D,MAAM,aAAa,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;IACnD,OAAO,IAAI,MAAM,CAAC,IAAI,aAAa,GAAG,EAAE,GAAG,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,kBAAkB,CAAC,KAAoB,EAAE,SAAiB;IACjE,qDAAqD;IACrD,MAAM,YAAY,GAAuC;QACvD,IAAI;QACJ,QAAQ;QACR,UAAU;QACV,UAAU;QACV,aAAa;QACb,MAAM;KACP,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,YAAY,EAAE,CAAC;QAC/B,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,CAAC,CAAC;YACvB,IAAI,OAAO,GAAG,KAAK,QAAQ;gBAAE,OAAO,GAAG,CAAC;YACxC,IAAI,GAAG,YAAY,IAAI;gBAAE,OAAO,GAAG,CAAC,WAAW,EAAE,CAAC;YAClD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAED,sCAAsC;IACtC,MAAM,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC5C,IAAI,SAAS,KAAK,SAAS,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,SAAS,CAAC;IACpE,OAAO,MAAM,CAAC,SAAS,CAAC,CAAC;AAC3B,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,kBAAkB,CAAC,SAAiB;IAC3C,MAAM,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IACzC,IAAI,SAAS,KAAK,CAAC,CAAC;QAAE,OAAO,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAC/C,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE,SAAS,CAAC,SAAS,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC;AACjF,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,UAAU,CAAC,MAAc,EAAE,QAAgB,EAAE,QAAuB;IAC3E,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;IACzC,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAE7C,uEAAuE;IACvE,MAAM,eAAe,GAAG,QAAQ,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;IAExD,QAAQ,eAAe,EAAE,CAAC;QACxB,KAAK,UAAU;YACb,OAAO,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7C,KAAK,UAAU;YACb,OAAO,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7C,KAAK,YAAY;YACf,OAAO,WAAW,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAC/C,KAAK,IAAI;YACP,IAAI,CAAC;gBACH,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChD,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,IAAI,CAAC,2BAA2B,QAAQ,kBAAkB,QAAQ,GAAG,CAAC,CAAC;gBAC9E,OAAO,KAAK,CAAC;YACf,CAAC;QACH,KAAK,QAAQ,CAAC;QACd,KAAK,cAAc,CAAC,CAAC,CAAC;YACpB,uEAAuE;YACvE,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;gBAChE,OAAO,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;YACvD,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,KAAK,CAAC;YACf,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,uCAAuC;YACvC,OAAO,SAAS,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QACrC,CAAC;QACD,KAAK,IAAI;YACP,OAAO,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC3C,KAAK,KAAK;YACR,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC5C,KAAK,IAAI;YACP,OAAO,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC3C,KAAK,KAAK;YACR,OAAO,MAAM,CAAC,MAAM,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,CAAC;QAC5C,KAAK,MAAM,CAAC;QACZ,KAAK,MAAM;YACT,qDAAqD;YACrD,OAAO,WAAW,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC;QAC7C,OAAO,CAAC,CAAC,CAAC;YACR,0DAA0D;YAC1D,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3B,OAAO,eAAe,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAChD,CAAC;YACD,OAAO,WAAW,KAAK,aAAa,CAAC;QACvC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,SAAS,SAAS,CAAC,EAAU,EAAE,IAAY;IACzC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,KAAK,IAAI,CAAC;IAE3C,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;IACzB,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAE,EAAE,EAAE,CAAC,CAAC;IAC1C,IAAI,KAAK,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IAEnC,MAAM,KAAK,GAAG,UAAU,CAAC,EAAE,CAAC,CAAC;IAC7B,MAAM,OAAO,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC;IACnC,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IAErD,MAAM,IAAI,GAAG,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG,SAAS,CAAC,CAAC,KAAK,CAAC,CAAC;IAClE,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,UAAU,CAAC,EAAU;IAC5B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC5B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACpC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC/B,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,CAAC,IAAI,GAAG,GAAG,GAAG;YAAE,OAAO,IAAI,CAAC;QACpD,GAAG,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,GAAG,GAAG,CAAC;IACzB,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,SAAS,iBAAiB,CACxB,KAAoB,EACpB,SAA4C;IAE5C,MAAM,aAAa,GAAa,EAAE,CAAC;IAEnC,KAAK,MAAM,CAAC,YAAY,EAAE,cAAc,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACvE,MAAM,CAAC,QAAQ,EAAE,QAAQ,CAAC,GAAG,kBAAkB,CAAC,YAAY,CAAC,CAAC;QAC9D,MAAM,MAAM,GAAG,kBAAkB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;QAEnD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;YACzB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QACxC,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC;QACjF,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,UAAU,CAAC,MAAM,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;QAEvF,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QACxC,CAAC;QAED,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;AAClD,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,QAAQ,CAAC,SAAiB;IACjC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,OAAO,GAAG,EAAE,CAAC;IAEjB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;QACzB,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YAC7B,IAAI,OAAO,CAAC,IAAI,EAAE;gBAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAChD,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,GAAG,EAAE,CAAC;QACf,CAAC;aAAM,IAAI,EAAE,KAAK,GAAG,IAAI,EAAE,KAAK,IAAI,EAAE,CAAC;YACrC,IAAI,OAAO,CAAC,IAAI,EAAE;gBAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;YAChD,OAAO,GAAG,EAAE,CAAC;QACf,CAAC;aAAM,CAAC;YACN,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,IAAI,EAAE;QAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAEhD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,kBAAkB,CAAC,SAAiB,EAAE,cAAwB;IACrE,IAAI,MAAM,GAAG,SAAS,CAAC;IAEvB,0CAA0C;IAC1C,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACpD,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAChD,OAAO,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,sCAAsC;IACtC,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,qBAAqB,EAAE,GAAG,EAAE;QAClD,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAChD,OAAO,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,sFAAsF;IACtF,4EAA4E;IAC5E,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACpD,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAChD,OAAO,GAAG,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,mDAAmD;IACnD,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,wBAAwB,EAAE,CAAC,MAAM,EAAE,MAAc,EAAE,EAAE;QAC3E,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAC1C,OAAO,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,gDAAgD;IAChD,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,sBAAsB,EAAE,CAAC,MAAM,EAAE,MAAc,EAAE,EAAE;QACzE,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;QACpE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAC1C,OAAO,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,iBAAiB,CAAC,SAAiB,EAAE,gBAAsC;IAClF,2CAA2C;IAC3C,MAAM,cAAc,GAAG,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,EAAE,CAAC,CAAC;IAC3D,MAAM,QAAQ,GAAG,kBAAkB,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IAE/D,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAElC,oDAAoD;IACpD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAE,CAAC;QACxB,IAAI,IAAI,KAAK,OAAO;YAAE,OAAO,KAAK,CAAC;QACnC,IAAI,IAAI,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QACjC,OAAO,gBAAgB,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC;IAC7C,CAAC;IAED,2DAA2D;IAC3D,4BAA4B;IAC5B,IAAI,GAAG,GAAG,CAAC,CAAC;IAEZ,SAAS,IAAI;QACX,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;IACrB,CAAC;IAED,SAAS,OAAO;QACd,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAE,CAAC;QACzB,GAAG,EAAE,CAAC;QACN,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;OAGG;IACH,SAAS,YAAY;QACnB,MAAM,GAAG,GAAG,IAAI,EAAE,CAAC;QAEnB,IAAI,GAAG,KAAK,SAAS;YAAE,OAAO,KAAK,CAAC;QAEpC,IAAI,GAAG,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;YAChC,OAAO,EAAE,CAAC;YACV,OAAO,CAAC,YAAY,EAAE,CAAC;QACzB,CAAC;QAED,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;YAChB,OAAO,EAAE,CAAC,CAAC,cAAc;YACzB,MAAM,MAAM,GAAG,OAAO,EAAE,CAAC;YACzB,IAAI,IAAI,EAAE,KAAK,GAAG;gBAAE,OAAO,EAAE,CAAC,CAAC,cAAc;YAC7C,OAAO,MAAM,CAAC;QAChB,CAAC;QAED,kCAAkC;QAClC,OAAO,EAAE,CAAC;QACV,IAAI,GAAG,KAAK,OAAO;YAAE,OAAO,KAAK,CAAC;QAClC,IAAI,GAAG,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC;QAChC,OAAO,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC;IAC5C,CAAC;IAED;;OAEG;IACH,SAAS,QAAQ;QACf,IAAI,MAAM,GAAG,YAAY,EAAE,CAAC;QAC5B,OAAO,IAAI,EAAE,EAAE,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;YACvC,OAAO,EAAE,CAAC;YACV,MAAM,KAAK,GAAG,YAAY,EAAE,CAAC;YAC7B,MAAM,GAAG,MAAM,IAAI,KAAK,CAAC;QAC3B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;OAEG;IACH,SAAS,OAAO;QACd,IAAI,MAAM,GAAG,QAAQ,EAAE,CAAC;QACxB,OAAO,IAAI,EAAE,EAAE,WAAW,EAAE,KAAK,IAAI,EAAE,CAAC;YACtC,OAAO,EAAE,CAAC;YACV,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC;YACzB,MAAM,GAAG,MAAM,IAAI,KAAK,CAAC;QAC3B,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,OAAO,EAAE,CAAC;AACnB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,UAAU,CAAC,KAAoB,EAAE,IAAe;IAC9D,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC;IACjC,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAmB,CAAC;IACpD,MAAM,gBAAgB,GAAa,EAAE,CAAC;IAEtC,iEAAiE;IACjE,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;QACrD,IAAI,GAAG,KAAK,WAAW;YAAE,SAAS;QAClC,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,SAAS,CAAC,wCAAwC;QAEjF,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,EAAE,KAA0C,CAAC,CAAC;QACpF,gBAAgB,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;QAC1C,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACnB,gBAAgB,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,8CAA8C;IAC9C,MAAM,YAAY,GAAG,iBAAiB,CAAC,SAAS,CAAC,SAAS,EAAE,gBAAgB,CAAC,CAAC;IAE9E,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,wCAAwC;IACxC,MAAM,YAAY,GAAG,CAAC,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC;IAEpD,MAAM,KAAK,GAAc;QACvB,IAAI;QACJ,KAAK;QACL,aAAa,EAAE,YAAY;QAC3B,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,MAAM,CAAC,IAAI,CACT,uBAAuB,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,EAAE,gBAAgB,IAAI,CAAC,KAAK,MAAM,IAAI,CAAC,EAAE,GAAG,EACxF,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE,EAAE,aAAa,EAAE,YAAY,EAAE,CACnD,CAAC;IAEF,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,sBAAsB,CAAC,KAAoB,EAAE,KAAkB;IAC7E,MAAM,OAAO,GAAgB,EAAE,CAAC;IAEhC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC;QACvC,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/rules/sigma-parser.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Sigma YAML rule parser
+ * Sigma YAML 規則解析器
+ *
+ * Parses Sigma rules from YAML format into typed SigmaRule objects.
+ * Validates required fields and logs warnings for missing optional fields.
+ * 將 Sigma 規則從 YAML 格式解析為型別化的 SigmaRule 物件。
+ * 驗證必要欄位並對缺少的可選欄位記錄警告。
+ *
+ * @module @panguard-ai/core/rules/sigma-parser
+ */
+import type { SigmaRule } from './types.js';
+/**
+ * Parse a Sigma rule from a YAML string
+ * 從 YAML 字串解析 Sigma 規則
+ *
+ * Validates required fields (title, detection, level) and normalizes
+ * optional fields with sensible defaults.
+ * 驗證必要欄位（title、detection、level）並以合理預設值標準化可選欄位。
+ *
+ * @param yamlContent - Raw YAML string content / 原始 YAML 字串內容
+ * @returns Parsed SigmaRule or null if validation fails / 解析後的 SigmaRule，驗證失敗則回傳 null
+ */
+export declare function parseSigmaYaml(yamlContent: string): SigmaRule | null;
+/**
+ * Parse a Sigma rule from a YAML file on disk
+ * 從磁碟上的 YAML 檔案解析 Sigma 規則
+ *
+ * Reads the file contents and delegates to parseSigmaYaml.
+ * 讀取檔案內容並委派給 parseSigmaYaml。
+ *
+ * @param filePath - Absolute or relative path to the YAML file / YAML 檔案的絕對或相對路徑
+ * @returns Parsed SigmaRule or null if file read or parsing fails / 解析後的 SigmaRule，讀取或解析失敗則回傳 null
+ */
+export declare function parseSigmaFile(filePath: string): SigmaRule | null;
+//# sourceMappingURL=sigma-parser.d.ts.map

package/dist/rules/sigma-parser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sigma-parser.d.ts","sourceRoot":"","sources":["../../src/rules/sigma-parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,OAAO,KAAK,EAAE,SAAS,EAAkC,MAAM,YAAY,CAAC;AAU5E;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,CAAC,WAAW,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CA8JpE;AAED;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAejE"}