A security rule parser and normalizer — converts multi-format detection signatures into structured JSON.
Built to complement rulezet-core.
RuleCast takes raw cybersecurity detection rules via text or file, validates their syntax, and outputs structured JSON ready for integration or automation. It supports ten rule formats out of the box and is designed to be extended with new formats in minutes.
| Format | Extension(s) | Validator | Status |
|---|---|---|---|
| YARA | .yar .yara |
yara-python |
✅ Implemented |
| Sigma | .yaml .yml |
pysigma |
✅ Implemented |
| Suricata | .rules |
suricataparser |
✅ Implemented |
| CRS (ModSecurity / OWASP) | .conf |
msc-pyparser |
✅ Implemented |
| NSE (Nmap Scripting Engine) | .nse |
luac -p |
✅ Implemented |
| Nova (AI/LLM hunting) | .nov |
nova-hunting |
✅ Implemented |
| Zeek | .zeek .bro |
zeekscript |
✅ Implemented |
| Wazuh SIEM | .xml |
stdlib XML | ✅ Implemented |
| Elastic Security | .toml |
stdlib tomllib |
✅ Implemented |
| ATR (Agent Threat Rules) | .yaml .yml |
PyYAML |
✅ Implemented |
git clone https://github.com/rulezet/rulezet-cast.git
cd rulezet-cast
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txtInteractive menu:
python3 main.py or ./run.sh
Direct commands:
# Parse a rule from text
python3 main.py parse -t 'rule MyTest { condition: true }'
# Parse from a file
python3 main.py parse -i rules.yar
# Validate only
python3 main.py validate -i rules.yar -f yara
# Auto-detect format
python3 main.py detect -t 'rule MyTest { condition: true }'
# Output as JSON
python3 main.py parse -i rules.yar --json
# Normalize to Rulezet schema
python3 main.py parse -i rules.yar --normalize
# List all registered parsers
python3 main.py list
# Launch the interactive test runner
python3 main.py test
# Scaffold a new parser
python3 main.py new myformatRuleCast includes an interactive test runner to validate parsers against rule fixtures:
python3 main.py testChoose a format, load a test file or paste content, then get per-rule results and a summary that checks counts against the expected values declared in the fixture header.
The test runner also includes a format clash detection test (press c at the format menu). It runs all formats that share an extension against a mixed fixture and verifies that each rule is correctly identified — catching can_handle() false positives automatically.
See CONTRIBUTING.md for the full step-by-step guide with screenshots.
Quick start:
python3 main.py new <format_name>This generates a ready-to-fill template at parsers/formats/<format_name>_parser.py, registers the parser, creates a test fixture, and adds the fixture to the test runner. Implement the five methods, add your test rules, and open a PR.
Rulezet is co-funded by CIRCL and by the European Union under NGSOTI (Next Generation Security Operator Training Infrastructure ) project.

