Description
Sigma is the open standard for log detection rules with 4000+ community rules. Adding Sigma compatibility would make LogReaper significantly more powerful and tap into an existing ecosystem.
Why This Matters
- Sigma has ~8k GitHub stars and a massive rule library
- Users wouldn't need to maintain custom regex patterns — just point LogReaper at Sigma rules
- Positions LogReaper as a lightweight Sigma evaluator for Linux CLI (like Chainsaw is for Windows)
- Community can contribute Sigma rules without touching C code
Proposed Approach
Phase 1: Basic YAML Parsing
- Parse Sigma YAML rule files (detection field with keywords/patterns)
- Convert Sigma
contains, startswith, endswith modifiers to regex
- Support
logreaper --sigma-rules /path/to/rules/ logfile
Phase 2: Full Sigma Support
- AND/OR logic in detection conditions
- Field mapping for common Linux log sources
- Sigma rule severity → LogReaper severity mapping
Resources
Acceptance Criteria
Description
Sigma is the open standard for log detection rules with 4000+ community rules. Adding Sigma compatibility would make LogReaper significantly more powerful and tap into an existing ecosystem.
Why This Matters
Proposed Approach
Phase 1: Basic YAML Parsing
contains,startswith,endswithmodifiers to regexlogreaper --sigma-rules /path/to/rules/ logfilePhase 2: Full Sigma Support
Resources
Acceptance Criteria