Add separate file output for converted rules with directory structure preservation#93
Add separate file output for converted rules with directory structure preservation#93Copilot wants to merge 6 commits into
Conversation
- Add --output-dir parameter to specify output directory
- Add --output-filename-template parameter with template variables
- Support template variables: {path}, {stem}, {index}
- Handle rules that emit multiple queries with index suffixes
- Create directories as needed for output
- Add comprehensive tests for new functionality
- Document --output-dir and --output-filename-template parameters
- Provide examples for flat and nested directory structures
- Explain template variables {path}, {stem}, {index}
- Change short option from -oT to -ot for consistency - Improve error messages with actionable guidance - Add context about expected formats in error messages
| # Create a single-rule collection for this rule | ||
| single_rule_collection = SigmaCollection([rule]) | ||
|
|
||
| # Convert the rule | ||
| try: | ||
| result = backend.convert(single_rule_collection, format, correlation_method) |
There was a problem hiding this comment.
Does this work with Sigma correlations and filters? These refer to other rules in a collection, I doubt this works if a rule collection is split up in this way. Please add tests for these cases and fix if necessary.
There was a problem hiding this comment.
I've addressed this in commit 3ba5dd1. Here's what I found and fixed:
Filters: ✅ Work correctly with --output-dir. Filters are resolved at collection load time (via resolve_rule_references()), so their conditions are baked into the rule's detection before individual conversion. Added test to verify.
Correlation rules: ❌ Cannot work with --output-dir because they reference other rules by name. When splitting into individual collections, those references would fail with SigmaRuleNotFoundError.
Solution: Added validation that errors out with a clear message if the collection contains correlation rules when using --output-dir. Users must use --output for correlation rules to keep the full collection intact.
Added comprehensive tests for both scenarios.
- Add validation to prevent use of --output-dir with correlation rules - Correlation rules reference other rules and cannot be split individually - Add comprehensive tests for correlation rules and filters - Filters work correctly as they are resolved at collection load time - Exit with clear error message if correlation rules are detected
- Replace type().__name__ with isinstance(rule, SigmaCorrelationRule) - More Pythonic and handles inheritance correctly - Import SigmaCorrelationRule from sigma.correlations - Fix trailing whitespace in test file
Converting multiple Sigma rules currently outputs all results to a single file, making version control and selective deployment impractical. This adds support for writing each converted rule to a separate file with configurable naming and directory structure.
Changes
--output-dirparameter: Specifies output directory for individual rule files (mutually exclusive with--output)--output-filename-templateparameter: Controls output filenames using template variables:{path}: Relative source directory path{stem}: Source filename without extension{index}: Query index for rules emitting multiple queries (1, 2, 3...)--output-dir, allowing granular output control--output-dirwith correlation rules, which reference other rules and must be converted as part of the full collection. Exits with clear error message directing users to use--outputinstead.--output-diras they are resolved at collection load time and baked into individual rule detectionsUsage
Given source structure:
Template
{path}/{stem}.esqlproduces:Limitations
--output-dir. Correlation rules reference other rules by name and require the full collection context for conversion. Use--outputto write correlation rules to a single file.--output-dirand are applied to individual rules as expected.Testing
--output-dir