Wazuh 规则的解析

Wazuh 规则使用 pseudo XML 格式，非标准 XML，使用 Python lxml 读取时需要自己添加 Root Element 以确保符合 W3C 规范：

from lxml import etree

# multiple group, test case 1
# originRule = open("rules/0010-rules_config.xml", "r").read()

# multiple root, single group, test case 2
originRule = open("rules/0575-win-base_rules.xml", "r").read()

# full xml text
xmlRuleData = "<custom_root>" + originRule + "</custom_root>"

# parser start
xmlDocRoot = etree.XML(xmlRuleData)

# do your stuff here
# note: comment will take a place, the parser won't ignore comments.