sigma-rule-matcher is a Python package for evaluating Sigma detection rules against structured event data.
Built on top of pySigma, it parses and applies Sigma rule logic—including
condition expressions and most common modifiers—to incoming events to determine whether they match.
So far, this project is primarily a learning tool, put together to better understand how Sigma rules operate under the hood.
Install the package from PyPI:
pip install sigma-rule-matcherRequires Python 3.10 or later. This will install the library and its dependencies:
- boolean.py (for boolean expression evaluation)
- pySigma (for parsing Sigma rules)
Sigma rules can include multiple selectors, logical operators, and modifiers. For example:
from sigma.rule import SigmaRule
from sigma_rule_matcher import RuleMatcher
sigma_rule = '''
title: Suspicious activity
logsource:
product: test
detection:
sel1:
src_ip:
- 10.0.0.1
- 10.0.0.2
sel2:
user:
- root
sel3:
process_name:
- 'malicious.exe'
condition: (sel1 or sel2) and sel3
'''
rule = SigmaRule.from_yaml(sigma_rule)
matcher = RuleMatcher(rule)
# Test against an event
event = {
'src_ip': '10.0.0.2',
'user': 'guest',
'process_name': 'malicious.exe'
}
assert matcher.match(event) is TrueThe library includes a comprehensive test suite. To run the tests:
pytestThis project is licensed under the MIT License.
It uses the pySigma library, which is licensed under the GNU Lesser General Public License v2.1 (LGPL-2.1). A copy of the LGPL-2.1 license is here.
We use pySigma without modification.