Add support for fieldref modifier (#6)

Author: jopohl

README.md

@@ -5,17 +5,19 @@
 [![Crates.io](https://img.shields.io/crates/v/sigma-rust)](https://crates.io/crates/sigma-rust)
 [![Docs.rs](https://docs.rs/sigma-rust/badge.svg)](https://docs.rs/sigma-rust)
 
-
 A Rust library for parsing and evaluating Sigma rules to create custom detection pipelines.
 
 ## Features
 
-- Supports all [sigma modifiers](https://sigmahq.io/docs/basics/modifiers.html) except `expand`
+- Supports all[^1] [sigma modifiers](https://sigmahq.io/docs/basics/modifiers.html) including the unofficial `fieldref`
+  modifier
 - Supports the whole [Sigma condition](https://sigmahq.io/docs/basics/conditions.html) syntax using Pratt parsing
 - Written in 100% safe Rust
 - Daily automated security audit of dependencies
 - Extensive test suite
 
+[^1]: Except the [expand](https://sigmahq.io/docs/basics/modifiers.html#expand) modifier.
+
 ## Example
 
 ```rust
@@ -28,6 +30,7 @@ fn main() {
         category: test
     detection:
         selection_1:
+            Event.ID: 42
             TargetFilename|contains: ':\temp\'
             TargetFilename|endswith:
                 - '.au3'
@@ -42,15 +45,39 @@ fn main() {
 
     let rule = rule_from_yaml(rule_yaml).unwrap();
     let event = event_from_json(
-        r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe"}"#,
+        r#"{"TargetFilename": "C:\\temp\\file.au3", "Image": "C:\\temp\\autoit4.exe", "Event": {"ID": 42}}"#,
     )
         .unwrap();
 
     assert!(rule.is_match(&event));
 }
 ```
 
-Check out the `examples` folder for more examples.
+## Matching nested fields
+
+You can access nested fields by using a dot `.` as a separator. For example, if you have an event like
+
+```json
+{
+  "Event": {
+    "ID": 42
+  }
+}
+```
+
+you can access the `ID` field by using `Event.ID` in the Sigma rule. Note, that fields containing a dot take
+precedence over nested fields. For example, if you have an event like
+
+```json
+{
+  "Event.ID": 42,
+  "Event": {
+    "ID": 43
+  }
+}
+```
+
+the engine will evaluate `Event.ID` to 42.
 
 ## Strong type checking
 
@@ -73,7 +100,6 @@ selection_2:
 condition: 1 of them
 ```
 
-
 ## License
 
 Licensed under either of
@@ -87,4 +113,5 @@ at your option.
 
 Contributions are welcome! Please open an issue or create a pull request.
 
-Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.
+Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as
+defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

src/error.rs

@@ -6,7 +6,8 @@ pub enum ParserError {
     #[error("Unknown field modifier '{0}' provided")]
     UnknownModifier(String),
 
-    #[error("UTF16 encoding requested but no value transformation modifier provided (base64 or base64offset)")]
+    #[error("UTF16 encoding requested but no value transformation modifier provided (base64 or base64offset)"
+    )]
     Utf16WithoutBase64,
 
     #[error(
@@ -20,7 +21,9 @@ pub enum ParserError {
     #[error("Failed to parse regular expression: '{0}'")]
     RegexParsing(regex::Error),
 
-    #[error("The modifier '{0}' must not be combined with other modifiers except 'all'")]
+    #[error(
+        "The modifier '{0}' must not be combined with other modifiers except 'all' and 'fieldref'"
+    )]
     StandaloneViolation(String),
 
     #[error("Failed to parse IP address '{0}': '{1}'")]
@@ -47,7 +50,8 @@ pub enum ParserError {
     #[error("Field names must be string, got: '{0}'")]
     InvalidFieldName(String),
 
-    #[error("The modifiers contains, startswith and endswith must be used with string values, got: '{0}'")]
+    #[error("The modifiers contains, startswith and endswith must be used with string values, got: '{0}'"
+    )]
     InvalidValueForStringModifier(String),
 }
 

src/event.rs

@@ -9,6 +9,60 @@ struct EventProxy {
     value: serde_json::Value,
 }
 
+#[derive(Debug, PartialEq)]
+pub enum EventValue {
+    Value(FieldValue),
+    Sequence(Vec<EventValue>),
+    Map(HashMap<String, EventValue>),
+}
+
+#[cfg(feature = "serde_json")]
+impl TryFrom<serde_json::Value> for EventValue {
+    type Error = crate::error::JSONError;
+
+    fn try_from(value: serde_json::Value) -> Result<Self, Self::Error> {
+        match value {
+            serde_json::Value::Null
+            | serde_json::Value::Bool(_)
+            | serde_json::Value::Number(_)
+            | serde_json::Value::String(_) => Ok(Self::Value(FieldValue::try_from(value)?)),
+            serde_json::Value::Array(a) => {
+                let mut result = Vec::with_capacity(a.len());
+                for item in a {
+                    result.push(Self::try_from(item)?);
+                }
+                Ok(Self::Sequence(result))
+            }
+            serde_json::Value::Object(data) => {
+                let mut result = HashMap::with_capacity(data.len());
+                for (key, value) in data {
+                    result.insert(key, Self::try_from(value)?);
+                }
+                Ok(Self::Map(result))
+            }
+        }
+    }
+}
+
+impl EventValue {
+    pub(crate) fn contains(&self, s: &str) -> bool {
+        match self {
+            Self::Value(v) => v.value_to_string().contains(s),
+            Self::Sequence(seq) => seq.iter().any(|v| v.contains(s)),
+            Self::Map(m) => m.values().any(|v| v.contains(s)),
+        }
+    }
+}
+
+impl<T> From<T> for EventValue
+where
+    T: Into<FieldValue>,
+{
+    fn from(value: T) -> Self {
+        Self::Value(value.into())
+    }
+}
+
 /// The `Event` struct represents a log event.
 ///
 /// It is a collection of key-value pairs
@@ -18,7 +72,7 @@ struct EventProxy {
 #[cfg_attr(feature = "serde_json", derive(serde::Deserialize))]
 #[cfg_attr(feature = "serde_json", serde(try_from = "EventProxy"))]
 pub struct Event {
-    inner: HashMap<String, FieldValue>,
+    inner: HashMap<String, EventValue>,
 }
 
 #[cfg(feature = "serde_json")]
@@ -33,7 +87,7 @@ impl TryFrom<EventProxy> for Event {
 impl<T, S, const N: usize> From<[(S, T); N]> for Event
 where
     S: Into<String> + Hash + Eq,
-    T: Into<FieldValue>,
+    T: Into<EventValue>,
 {
     fn from(values: [(S, T); N]) -> Self {
         let mut data = HashMap::with_capacity(N);
@@ -44,20 +98,6 @@ where
     }
 }
 
-impl<T, S> From<HashMap<S, T>> for Event
-where
-    S: Into<String> + Hash + Eq,
-    T: Into<FieldValue>,
-{
-    fn from(data: HashMap<S, T>) -> Self {
-        let mut result = Self::default();
-        for (key, val) in data.into_iter() {
-            result.inner.insert(key.into(), val.into());
-        }
-        result
-    }
-}
-
 impl Event {
     /// Create a new empty event
     pub fn new() -> Self {
@@ -79,19 +119,40 @@ impl Event {
     pub fn insert<T, S>(&mut self, key: S, value: T)
     where
         S: Into<String> + Hash + Eq,
-        T: Into<FieldValue>,
+        T: Into<EventValue>,
     {
         self.inner.insert(key.into(), value.into());
     }
 
     /// Iterate over the key-value pairs in the event
-    pub fn iter(&self) -> impl Iterator<Item = (&String, &FieldValue)> {
+    pub fn iter(&self) -> impl Iterator<Item = (&String, &EventValue)> {
         self.inner.iter()
     }
 
-    /// Get the value of a field in the event
-    pub fn get(&self, field: &String) -> Option<&FieldValue> {
-        self.inner.get(field)
+    /// Get the value for a key in the event
+    pub fn get(&self, key: &str) -> Option<&EventValue> {
+        if let Some(ev) = self.inner.get(key) {
+            return Some(ev);
+        }
+
+        let mut nested_key = key;
+        let mut current = &self.inner;
+        while let Some((head, tail)) = nested_key.split_once('.') {
+            if let Some(EventValue::Map(map)) = current.get(head) {
+                if let Some(value) = map.get(tail) {
+                    return Some(value);
+                }
+                current = map;
+                nested_key = tail;
+            } else {
+                return None;
+            }
+        }
+        None
+    }
+
+    pub fn values(&self) -> impl Iterator<Item = &EventValue> {
+        self.inner.values()
     }
 }
 
@@ -104,8 +165,7 @@ impl TryFrom<serde_json::Value> for Event {
         match data {
             serde_json::Value::Object(data) => {
                 for (key, value) in data {
-                    let field_value = FieldValue::try_from(value)?;
-                    result.insert(key, field_value);
+                    result.insert(key, EventValue::try_from(value)?);
                 }
             }
             _ => return Err(Self::Error::InvalidEvent()),
@@ -118,18 +178,31 @@ impl TryFrom<serde_json::Value> for Event {
 #[cfg(test)]
 mod tests {
     use super::*;
+    use serde_json::json;
 
     #[test]
     fn test_load_from_json() {
-        let data = r#"
-        {
+        let event: Event = json!({
             "name": "John Doe",
-            "age": 43
-        }"#;
-
-        let event: Event = serde_json::from_str(data).unwrap();
-
-        assert_eq!(event.inner["name"], FieldValue::from("John Doe"));
-        assert_eq!(event.inner["age"], FieldValue::from(43));
+            "age": 43,
+            "address": {
+                "city": "New York",
+                "state": "NY"
+            }
+        })
+        .try_into()
+        .unwrap();
+
+        assert_eq!(event.inner["name"], EventValue::from("John Doe"));
+        assert_eq!(event.inner["age"], EventValue::from(43));
+        assert_eq!(
+            event.inner["address"],
+            EventValue::Map({
+                let mut map = HashMap::new();
+                map.insert("city".to_string(), EventValue::from("New York"));
+                map.insert("state".to_string(), EventValue::from("NY"));
+                map
+            })
+        );
     }
 }