Skip to content

rulezet/rulezet-cast

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

36 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

RuleCast logo

A security rule parser and normalizer — converts multi-format detection signatures into structured JSON.
Built to complement rulezet-core.

version 1.0.0 Python 3.11+ 10 formats MIT license


What it does

RuleCast takes raw cybersecurity detection rules via text or file, validates their syntax, and outputs structured JSON ready for integration or automation. It supports ten rule formats out of the box and is designed to be extended with new formats in minutes.

Supported formats

Format Extension(s) Validator Status
YARA .yar .yara yara-python ✅ Implemented
Sigma .yaml .yml pysigma ✅ Implemented
Suricata .rules suricataparser ✅ Implemented
CRS (ModSecurity / OWASP) .conf msc-pyparser ✅ Implemented
NSE (Nmap Scripting Engine) .nse luac -p ✅ Implemented
Nova (AI/LLM hunting) .nov nova-hunting ✅ Implemented
Zeek .zeek .bro zeekscript ✅ Implemented
Wazuh SIEM .xml stdlib XML ✅ Implemented
Elastic Security .toml stdlib tomllib ✅ Implemented
ATR (Agent Threat Rules) .yaml .yml PyYAML ✅ Implemented

Installation

git clone https://github.com/rulezet/rulezet-cast.git
cd rulezet-cast
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Usage

Interactive menu:

python3 main.py or ./run.sh
Screenshot from 2026-05-11 11-56-13

Direct commands:

# Parse a rule from text
python3 main.py parse -t 'rule MyTest { condition: true }'

# Parse from a file
python3 main.py parse -i rules.yar

# Validate only
python3 main.py validate -i rules.yar -f yara

# Auto-detect format
python3 main.py detect -t 'rule MyTest { condition: true }'

# Output as JSON
python3 main.py parse -i rules.yar --json

# Normalize to Rulezet schema
python3 main.py parse -i rules.yar --normalize

# List all registered parsers
python3 main.py list

# Launch the interactive test runner
python3 main.py test

# Scaffold a new parser
python3 main.py new myformat

Test runner

RuleCast includes an interactive test runner to validate parsers against rule fixtures:

python3 main.py test

Choose a format, load a test file or paste content, then get per-rule results and a summary that checks counts against the expected values declared in the fixture header.

The test runner also includes a format clash detection test (press c at the format menu). It runs all formats that share an extension against a mixed fixture and verifies that each rule is correctly identified — catching can_handle() false positives automatically.

Adding a new format

See CONTRIBUTING.md for the full step-by-step guide with screenshots.

Quick start:

python3 main.py new <format_name>

This generates a ready-to-fill template at parsers/formats/<format_name>_parser.py, registers the parser, creates a test fixture, and adds the fixture to the test runner. Implement the five methods, add your test rules, and open a PR.

Funding

Rulezet is co-funded by CIRCL and by the European Union under NGSOTI (Next Generation Security Operator Training Infrastructure ) project.

EU logo

About

A versatile security rule parser and normalizer designed to convert multi-format detection signatures (such as YARA, Suricata, and Emerging Threats) into structured JSON. Whether via file upload or direct copy-paste, it streamlines the translation of complex security logic into a machine-readable format for seamless integration and automation.

Topics

Resources

License

Contributing

Stars

6 stars

Watchers

1 watching

Forks

Packages

 
 
 

Contributors

Languages