feat: add rule viewer

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "sigma"]
+	path = sigma
+	url = https://github.com/SigmaHQ/sigma.git

.vitepress/config.mts

@@ -6,6 +6,7 @@ export default defineConfig({
     title: 'Sigma',
     titleTemplate: 'Sigma Website',
     description: 'A generic and open signature format that allows you to describe relevant log events in a straight-forward manner.',
+    ignoreDeadLinks: true,
     head: [
         ['link', {
             media: "(prefers-color-scheme: dark)",
@@ -136,7 +137,11 @@ export default defineConfig({
             //     activeMatch: '/blog/',
             //     link: '/blog/index.md'
             // },
-            {text: 'Rules', link: 'https://github.com/SigmaHQ/sigma'},
+            {
+                text: 'Rules',
+                activeMatch: '/rules/',
+                link: '/rules/index.html'
+            },
             {text: 'Blog', link: 'https://medium.com/sigma-hq'},
             {
                 text: 'Misc',
@@ -229,6 +234,24 @@ export default defineConfig({
                         },
                     ]
                 },
+            ],
+            '/rules/': [
+                {
+                    text: 'Types',
+                    items: [
+                        {text: 'Detection Rules', link: '/rules/detection/'},
+                        {text: 'Threat Hunting Rules', link: '/rules/threat-hunting/'},
+                        {text: 'Emerging Threats Rules', link: '/rules/emerging-threats/'},
+                    ]
+                },
+                {
+                    text: 'Operating System',
+                    items: [
+                        {text: 'Windows', link: '/rules/windows'},
+                        {text: 'Linux', link: '/rules/linux'},
+                        {text: 'MacOS', link: '/rules/macos'},
+                    ]
+                }
             ]
         },
         footer: {
@@ -243,8 +266,8 @@ export default defineConfig({
             {icon: 'twitter', link: 'https://twitter.com/Sigma_HQ/'},
             {icon: 'github', link: 'https://github.com/SigmaHQ/sigma'},
         ],
-        // search: {
-        //     provider: 'local',
+        search: {
+             provider: 'local',
         //     options: {
         //         _render(src, env, md) {
         //             const html = md.render(src, env)
@@ -258,7 +281,7 @@ export default defineConfig({
         //             return html
         //         }
         //     }
-        // }
+        }
     },
     markdown: {
         config: (md) => {

.vitepress/theme/layouts/Docsv2.vue

@@ -1,13 +1,13 @@
 <script setup lang="ts">
 import DefaultTheme from 'vitepress/theme'
 import {useData} from "vitepress/dist/client/theme-default/composables/data";
-import {BookOpenIcon, RectangleGroupIcon} from "@heroicons/vue/20/solid";
+import {BookOpenIcon, RectangleGroupIcon, DocumentMagnifyingGlassIcon} from "@heroicons/vue/20/solid";
 import {useRoute, useRouter, withBase} from "vitepress";
 import DraftWarning from "../components/DraftWarning.vue";
+import VPLink from 'vitepress/dist/client/theme-default/components/VPLink.vue'
 
 const { Layout } = DefaultTheme
 const { frontmatter } = useData()
-import VPLink from 'vitepress/dist/client/theme-default/components/VPLink.vue'
 
 function active_link(link: string) {
     return useRoute().data.relativePath.includes(link)
@@ -64,6 +64,18 @@ function active_link(link: string) {
                     </span>
                     Resources
                 </a>
+                <a :href="withBase('/rules/')"
+                   class="rounded-xl transition-all hover:bg-rose-400/10 dark:hover:bg-rose-400/20 p-1.5 -m-1.5 text-sm flex gap-3 items-center text-rose-500 dark:text-rose-200 font-semibold"
+                   :class="{
+                        'bg-rose-700/[0.08] group-hover:bg-transparent hover:!bg-rose-700/10': active_link('rules/'),
+                        '': !active_link('rules/')
+                    }">
+                    <span
+                        class="box block w-7 h-7 rounded-lg bg-rose-400/20 dark:bg-rose-500/20 flex items-center justify-center">
+                        <DocumentMagnifyingGlassIcon class="h-4 h-4 text-rose-500 dark:text-rose-400"/>
+                    </span>
+                    Rules
+                </a>
             </div>
         </template>
 

.vitepress/theme/layouts/Home.vue

@@ -163,11 +163,11 @@ const {frontmatter} = useData()
                     Explore the Sigma Ecosystem
                 </h2>
                 <div class="grid md:grid-cols-3 gap-4">
-                    <a target="_blank" href="https://github.com/SigmaHQ/sigma/">
+                    <a target="_blank" href="/rules/">
                         <Box>
                             <template #icon><RectangleStackIcon /></template>
                             <template #heading>View Sigma Rules <ArrowTopRightOnSquareIcon class="text-slate-400 dark:text-white/30 ml-1 h-[14px] w-[14px] inline" /></template>
-                            <template #text>Explore the thousands of existing Sigma detections in SigmaHQ/sigma.</template>
+                            <template #text>Explore the thousands of existing Sigma detections in SigmaHQ.</template>
                         </Box>
                     </a>
                     <a target="_blank" href="https://medium.com/sigma-hq">

.vitepress/theme/layouts/Resources.vue

@@ -4,16 +4,15 @@ import {useData} from "vitepress/dist/client/theme-default/composables/data";
 import {ArrowTopRightOnSquareIcon, ChevronRightIcon} from "@heroicons/vue/20/solid";
 import Docsv2 from "./Docsv2.vue";
 import BlogPostLink from "../components/Resources/BlogPostLink.vue";
-
-const { Layout } = DefaultTheme
-const { frontmatter } = useData()
-
 import { data } from '/.vitepress/theme/lib/blog.data'
 import {BeakerIcon, DocumentCheckIcon, RectangleStackIcon} from "@heroicons/vue/24/solid";
 import Box from "../components/Boxes/Box.vue";
 import {ref} from "vue";
 import {withBase} from "vitepress";
 
+const { Layout } = DefaultTheme
+const { frontmatter } = useData()
+
 let repos = ref([
   {
     subtitle: 'Open Source',

docs/basics/conditions.md

@@ -121,7 +121,7 @@ detection:
 
 ### all of (search pattern)
 
-The `1 of (search pattern)` statement combines all of the above conditions together in an `and` statement. The `(search pattern)` can be replaced with a regex statement that describes the name of the selection group.
+The `all of (search pattern)` statement combines all of the above conditions together in an `and` statement. The `(search pattern)` can be replaced with a regex statement that describes the name of the selection group.
 
 ```yaml
 detection:
@@ -171,10 +171,10 @@ detection:
 
 ### all of them
 
-The `1 of them` statement combines all of the above conditions together in an `and` statement.
+The `all of them` statement combines all of the above conditions together in an `and` statement.
 
 ::: danger WARNING
-It's advised not to use `1 of them` or `all of them` as it's not generally accepted when sharing rules with the `SigmaHQ/sigma` repository & community.
+It's advised not to use `1 of them` or `all of them` as it's not generally accepted when sharing rules with the `SigmaHQ/sigma` repository abd community.
 :::
 
 ```yaml

docs/basics/modifiers.md

@@ -331,6 +331,27 @@ The `lte` modifier will provide a search where the value of `fieldname` is less
 
 ---
 
+### re
+
+::: code-group
+
+```yaml [/rules/needle_in_end_of_haystack.yaml]
+detection:
+    selection:
+        fieldname|re: '\\ntsvcs_[0-9a-f]{2}'
+```
+
+```splunk [Splunk Output]
+*
+| regex fieldname="\\\\ntsvcs_[0-9a-f]{2}"
+```
+
+:::
+
+The `re` modifier value is handled as regular expression by backends.
+
+---
+
 ### utf16 / utf16le / utf16be / wide {#wide}
 
 ::: code-group

rules/index.md

@@ -0,0 +1,72 @@
+---
+title: 'SigmaHQ Rules'
+subtitle: 'Detection'
+---
+
+<!--suppress ES6UnusedImports -->
+<script setup>
+import {withBase} from "vitepress";
+
+import DefaultTheme from 'vitepress/theme'
+import {useData} from "vitepress/dist/client/theme-default/composables/data";
+import {ArrowTopRightOnSquareIcon, ChevronRightIcon} from "@heroicons/vue/20/solid";
+
+const { Layout } = DefaultTheme
+const { frontmatter } = useData()
+
+import { data } from '/.vitepress/theme/lib/blog.data'
+import {BeakerIcon, DocumentCheckIcon, RectangleStackIcon} from "@heroicons/vue/24/solid";
+import Box from "/.vitepress/theme/components/Boxes/Box.vue";
+import {ref} from "vue";
+
+let ruleTypes = ref([
+    {
+        title: 'Detection Rules',
+        description: 'Threat agnostic rules. their aim is to detect a behavior or an implementation of a technique or procedure that was, can or will be used by a potential threat actor.',
+        link: '/rules/detection/',
+        og_image: withBase('/images/detection_rules.png'),
+        og_image_alt: 'Sigma Open Source Conversion Tool'
+    },
+    {
+        title: 'Emerging Threats Rules',
+        description: 'Rules that cover specific threats, that are timely and relevant for certain periods of time. These threats include specific APT campaigns, exploitation of Zero-Day vulnerabilities, specific malware used during an attack,...etc.',
+        link: '/rules/emerging-threats/',
+        og_image: withBase('/images/emerging_threats.png'),
+        og_image_alt: 'Sigma Open Source Conversion Tool'
+    },
+    {
+        title: 'Threat Hunting Rules',
+        description: 'Are broader in scope and are meant to give the analyst a starting point to hunt for potential suspicious or malicious activity',
+        link: '/rules/threat-hunting/',
+        og_image: withBase('/images/threat_hunting.png'),
+        og_image_alt: 'Sigma Open Source Conversion Tool'
+    }
+])
+
+</script>
+
+# {{ $frontmatter.title }}
+
+The place where detection engineers, threat hunters and all defensive security practitioners collaborate on detection rules. The repository offers more than 3000 detection rules of different type and aims to make reliable detections accessible to all at no cost.
+
+
+<section id="rule-ruleTypes">
+    <h2 class="!border-0">Explore Sigma Rules</h2>
+    <p class="text-slate-500 ">Find Sigma detections applicable to your organisation.</p>
+    <div class="grid gap-4 mt-5">
+        <a v-for="rtype in ruleTypes" target="_blank" :href="rtype.link" class="box hover:!no-underline !text-inherit py-6 md:py-7 px-6 md:px-8 w-full group !transition-all rounded-xl md:flex-row items-center overflow-hidden gap-4 h-full relative z-10 p-6 outline outline-1 hover:outline-2 bg-[#E3F2FA]/40 outline-[#C6D2ED]/40 hover:bg-[#DEF5FC] hover:outline-[#AAD0EC] dark:outline-[#383C5E]/50 dark:bg-[#252C3B]/25 dark:hover:bg-[#37455E]/40 dark:hover:outline-[var(--vp-c-brand-1)] text-white flex flex-col group">
+            <div class="md:order-2">
+                <img :src="rtype.og_image" :alt="rtype.og_image_alt" class="w-full md:w-60 lg:w-80 rounded shadow-xl">
+            </div>
+            <div class="md:order-1 w-full">
+                <h3>{{ rtype.title }}</h3>
+                <div class="md:flex gap-2 items-baseline !mb-4">
+                    <p class="text-slate-500 inline">{{ rtype.description }}</p>
+                </div>
+                <button class="text-sm rounded-lg bg-sky-400 dark:bg-sky-500 group-hover:bg-sky-500 group-hover:dark:bg-sky-600 dark:shadow transition-all text-white p-2 px-4 font-semibold">
+                    Explore <ChevronRightIcon class="w-5 h-5 inline-block"/>
+                </button>
+            </div>
+        </a>
+    </div>
+</section>

rules/linux.md

@@ -0,0 +1 @@
+**Coming Soon**

rules/macos.md

@@ -0,0 +1 @@
+**Coming Soon**

rules/windows.md

@@ -0,0 +1 @@
+**Coming Soon**