sigma-test
is a test case runner for Sigma rules.
It lets you specify example events alongside your detection rules and assert that your rule matches what you expect.
Install:
- via Homebrew:
brew install bradleyjkemp/formulae/sigma-test
- via GitHub releases: download the latest binary here.
- From source:
go get github.com/bradleyjkemp/sigma-test
sigma-test
evaluates rules using sigma-go which is still under development. Some syntax may not be supported yet.
Given a rule file rules/example.yml
:
title: Example of using sigma-test
description: Demos a passing sigma-test rule
detection:
ssh:
dst_port: 22
permitted_user:
user:
- alice
- bob
condition: ssh and not permitted_user
Test cases are stored in rules/example_test.yml
, one test case per YAML document:
---
match: true
event:
dst_port: 22
user: charlie
---
# Shouldn't match non ssh traffic
match: false
event:
dst_port: 443
user: charlie
---
# Shouldn't match authorized users
match: false
event:
dst_port: 22
user: alice
Running sigma-test
outputs that, as expected, the tests passed:
> sigma-test ./rules
rules/example.yaml PASS
If a test fails, sigma-test
tells you why:
> sigma-test ./rules/broken.yaml
rule/broken.yaml FAIL
map[dst_port:22] should have matched
exit status 1