README
¶
sigma-test 
sigma-test is a test case runner for Sigma rules.
It lets you specify example events alongside your detection rules and assert that your rule matches what you expect.
Install:
- via Homebrew:
brew install bradleyjkemp/formulae/sigma-test - via GitHub releases: download the latest binary here.
- From source:
go get github.com/bradleyjkemp/sigma-test
⚠️ sigma-test evaluates rules using sigma-go which is still under development. Some syntax may not be supported yet.
Usage
Given a rule file rules/example.yml:
title: Example of using sigma-test
description: Demos a passing sigma-test rule
detection:
ssh:
dst_port: 22
permitted_user:
user:
- alice
- bob
condition: ssh and not permitted_user
Test cases are stored in rules/example_test.yml, one test case per YAML document:
---
match: true
event:
dst_port: 22
user: charlie
---
# Shouldn't match non ssh traffic
match: false
event:
dst_port: 443
user: charlie
---
# Shouldn't match authorized users
match: false
event:
dst_port: 22
user: alice
Running sigma-test outputs that, as expected, the tests passed:
> sigma-test ./rules
rules/example.yaml PASS
If a test fails, sigma-test tells you why:
> sigma-test ./rules/broken.yaml
rule/broken.yaml FAIL
map[dst_port:22] should have matched
exit status 1
Documentation
¶
There is no documentation for this package.
Source Files
Click to show internal directories.
Click to hide internal directories.