add lazy evaluation option

evaluator/evaluate.go

@@ -17,6 +17,7 @@ type RuleEvaluator struct {
 
 	expandPlaceholder func(ctx context.Context, placeholderName string) ([]string, error)
 	caseSensitive     bool
+	lazy              bool
 	comparators       map[string]modifiers.Comparator
 
 	count   func(ctx context.Context, gb GroupedByValues) (float64, error)
@@ -105,16 +106,39 @@ func (rule RuleEvaluator) matches(ctx context.Context, event Event, comparators
 		SearchResults:    map[string]bool{},
 		ConditionResults: make([]bool, len(rule.Detection.Conditions)),
 	}
-	for identifier, search := range rule.Detection.Searches {
+
+	if !rule.lazy {
+		// must evaluate all searches up front
+		for identifier, search := range rule.Detection.Searches {
+			var err error
+			result.SearchResults[identifier], err = rule.evaluateSearch(ctx, search, event, rule.comparators)
+			if err != nil {
+				return Result{}, fmt.Errorf("error evaluating search %s: %w", identifier, err)
+			}
+		}
+	}
+
+	var searchErr error
+	searchResults := func(identifier string) bool {
+		searchResult, ok := result.SearchResults[identifier]
+		if ok {
+			return searchResult
+		}
+
+		search, ok := rule.Detection.Searches[identifier]
+		if !ok {
+			return false // compatibility with old behaviour
+		}
 		var err error
 		result.SearchResults[identifier], err = rule.evaluateSearch(ctx, search, event, rule.comparators)
 		if err != nil {
-			return Result{}, fmt.Errorf("error evaluating search %s: %w", identifier, err)
+			searchErr = fmt.Errorf("error evaluating search %s: %w", identifier, err)
+			return false
 		}
+		return result.SearchResults[identifier]
 	}
-
 	for conditionIndex, condition := range rule.Detection.Conditions {
-		searchMatches := rule.evaluateSearchExpression(condition.Search, result.SearchResults)
+		searchMatches := rule.evaluateSearchExpression(condition.Search, searchResults)
 
 		switch {
 		// Event didn't match filters
@@ -142,5 +166,5 @@ func (rule RuleEvaluator) matches(ctx context.Context, event Event, comparators
 		}
 	}
 
-	return result, nil
+	return result, searchErr
 }

evaluator/evaluate_search.go

@@ -13,7 +13,7 @@ import (
 	"strings"
 )
 
-func (rule RuleEvaluator) evaluateSearchExpression(search sigma.SearchExpr, searchResults map[string]bool) bool {
+func (rule RuleEvaluator) evaluateSearchExpression(search sigma.SearchExpr, searchResults func(string) bool) bool {
 	switch s := search.(type) {
 	case sigma.And:
 		for _, node := range s {
@@ -36,7 +36,7 @@ func (rule RuleEvaluator) evaluateSearchExpression(search sigma.SearchExpr, sear
 
 	case sigma.SearchIdentifier:
 		// If `s.Name` is not defined, this is always false
-		return searchResults[s.Name]
+		return searchResults(s.Name)
 
 	case sigma.OneOfThem:
 		for name := range rule.Detection.Searches {

evaluator/fuzz_test.go

@@ -60,7 +60,6 @@ func FuzzRuleMatches(f *testing.F) {
 		eval := ForRule(r, WithConfig(c))
 		_, err = eval.Matches(context.Background(), e)
 	})
-
 }
 
 func FuzzRuleBundleMatches(f *testing.F) {
@@ -139,3 +138,33 @@ func FuzzRuleBundleMatches(f *testing.F) {
 		}
 	})
 }
+
+func FuzzRuleLazyMatches(f *testing.F) {
+	f.Add(testRule, testConfig, `{"foo": "bar", "bar": "baz"}`)
+	f.Fuzz(func(t *testing.T, rule, config, payload string) {
+		r, err := sigma.ParseRule([]byte(rule))
+		if err != nil {
+			return
+		}
+		c, err := sigma.ParseConfig([]byte(config))
+		if err != nil {
+			return
+		}
+
+		var e Event
+		json.Unmarshal([]byte(payload), &e)
+
+		eval := ForRule(r, WithConfig(c))
+		lazyEval := ForRule(r, WithConfig(c), LazyEvaluation)
+		evalResult, evalErr := eval.Matches(context.Background(), e)
+		lazyEvalResult, lazyEvalErr := lazyEval.Matches(context.Background(), e)
+
+		if (evalErr == nil) != (lazyEvalErr == nil) {
+			f.Fatal("err mismatch", evalErr, lazyEvalErr)
+		}
+
+		if evalResult.Match != lazyEvalResult.Match {
+			f.Fatal("result mismatch", evalErr, lazyEvalErr)
+		}
+	})
+}

evaluator/options.go

@@ -48,3 +48,8 @@ func CaseSensitive(e *RuleEvaluator) {
 	e.caseSensitive = true
 	e.comparators = modifiers.ComparatorsCaseSensitive
 }
+
+// LazyEvaluation allows the evaluator to skip evaluating searches if they won't affect the overall match result
+func LazyEvaluation(e *RuleEvaluator) {
+	e.lazy = true
+}