chg: replace sigma-rust to sigmars

[fukusuket]

What Changed

• Closed Replace sigma-rust crate with sigmars? #52

Evidence

[Copilot]

Pull Request Overview

This PR replaces usage of the sigma_rust library with sigmars and updates rule loading and event conversion functions accordingly.

• Removed the unused helper function s from util.rs
• Updated get_updated_rules and load_rules_from_dir to use HashMap instead of Vec
• Replaced event deserialization using event_from_json with Event::new in scan.rs, aws_metrics.rs, and aws_detect.rs

Reviewed Changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/util.rs	Removed unused function s to eliminate legacy code.
src/update.rs	Changed rule loader to return a HashMap for easier lookup.
src/scan.rs	Replaced event deserialization calls to work with sigmars.
src/rules.rs	Updated rule loading functions to store rules in a HashMap.
src/aws_metrics.rs	Switched sigma_rust to sigmars and replaced usage of s in event naming.
src/aws_detect.rs	Updated rule loading and event processing to use sigmars, with a change in error handling for event time conversion.
Cargo.toml	Added sigmars dependency and updated the dependency list.

Comments suppressed due to low confidence (1)

src/aws_detect.rs:148

• [nitpick] Consider renaming 'rule_ids' to 'rules_map' or a similar descriptive name to indicate that it holds a mapping from rule IDs to rules.

let rule_ids = load_rules_from_dir(&options.rules);

[fukusuket]

@YamatoSecurity
I’ve quickly replaced it with sigmars for now (though I haven’t tested it yet...😅)!
Could you check if the Correlation rules are working properly? 🙏

[fukusuket]

If it seems to be detecting properly, adding multi-threading support should be relatively easy :)

[fukusuket]

It seems that simple Correlation is being detected, but due to an issue in my implementation, the results are not showing in the standard output. I will fix it.

[fukusuket]

Unfortunately, at this point, the correlation rule is not being detected as expected. I’ll raise a question on the sigmars side.

[YamatoSecurity]

Thanks for looking into this! Even if correlations is not working at the moment, if this crate detects the same amount as the current one and more with support for v2 modifiers, then we might as well convert over to using this one and work with the authors of sigmars to later get correlations working. What do you think?

[fukusuket]

@YamatoSecurity
After doing a quick comparison, it seems that sigma-rust is currently more stable, so it might be better to replace it with sigmars once it becomes more stable! Also, It might be a good idea to submit issues or pull requests to both crate :)

• Elasped Time

  • main: 31sec
  • This PR(without correlation) 48sec
  • This PR(with correlation) 1m 30sec

• Logic

  • main
    • Probably no issues within the scope of the current rule.
  • This PR
    • not logic? not working https://github.com/Yamato-Security/suzaku-rules/blob/main/suzaku/aws_cloudtrail_api_created.yml#L26
    • re modifier? not working https://github.com/Yamato-Security/suzaku-rules/blob/main/sigma/cloud/aws/cloudtrail/aws_cloudtrail_imds_malicious_usage.yml#L23