A security rule parser and normalizer — converts multi-format detection signatures into structured JSON.
Built to complement rulezet-core.

---

What it does

RuleCast takes raw cybersecurity detection rules (YARA, Sigma, Suricata, and more) via text or file, validates their syntax, and outputs structured JSON ready for integration or automation.

Supported formats

Format	Status
YARA	✅ Implemented
Sigma	🔜 Planned
Suricata	🔜 Planned
Zeek	🔜 Planned
Wazuh	🔜 Planned
NSE / CRS / Nova	🔜 Planned

Installation

git clone https://github.com/rulezet/rulezet-cast.git
cd rulezet-cast
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Usage

Interactive menu:

python3 main.py

Direct commands:

# Parse a rule from text
python3 main.py parse -t 'rule MyTest { condition: true }'

# Parse from a file
python3 main.py parse -i rules.yar

# Validate only
python3 main.py validate -i rules.yar

# Auto-detect format
python3 main.py detect -t 'rule MyTest { condition: true }'

# Output as JSON
python3 main.py parse -i rules.yar --json

# Launch the interactive test runner
python3 main.py test

# Scaffold a new parser
python3 main.py new sigma

Test runner

RuleCast includes an interactive test runner to validate parsers against rule fixtures:

python3 main.py test

It lets you choose a format, load a test file or paste content, then shows per-rule results and a summary that checks found counts against the expected counts declared in the test file header.

Adding a new format

See CONTRIBUTING.md for the full guide: how the pipeline works, what methods to implement, how to write test fixtures, and how to open a pull request.

Quick start:

python3 main.py new <format_name>

This generates a ready-to-fill template at parsers/formats/<format_name>_parser.py. Implement the methods, add the parser to parsers/__init__.py, add a test fixture, and you're done.