From 70676bd0244ca387b782bd3fd0a3c575a2812034 Mon Sep 17 00:00:00 2001
From: Chris Bassey <chrixsbassey@gmail.com>
Date: Sat, 28 Jun 2025 14:38:18 +0200
Subject: [PATCH 1/2] refactored script for checking conflicting rules

---
 check_rule_ids.py            | 37 ++++++++++++++++++++++++++++--------
 rules/conflicting _rules.xml | 19 ++++++++++++++++++
 2 files changed, 48 insertions(+), 8 deletions(-)
 create mode 100644 rules/conflicting _rules.xml

diff --git a/check_rule_ids.py b/check_rule_ids.py
index f435e7d..d0bfaef 100644
--- a/check_rule_ids.py
+++ b/check_rule_ids.py
@@ -73,17 +73,38 @@ def main():
         print("✅ No rule files were changed in this PR.")
         return
 
-    print(f"🔍 Checking these files for conflicts: {[f.name for f in changed_files]}")
+    # print(f"🔍 Checking these files for conflicts: {[f.name for f in changed_files]}")
+
+    # changed_ids = get_rule_ids_in_files(changed_files)
+    # main_ids = get_all_main_rule_ids()
+    # conflicts = changed_ids & main_ids
+
+    # if conflicts:
+    #     print(f"❌ Conflicting rule IDs: {sorted(conflicts)}")
+    #     sys.exit(1)
+    # else:
+    #     print("✅ No rule ID conflicts.")
 
-    changed_ids = get_rule_ids_in_files(changed_files)
+    print(f"🔍 Checking these files for conflicts: {[f.name for f in changed_files]}")
     main_ids = get_all_main_rule_ids()
-    conflicts = changed_ids & main_ids
 
-    if conflicts:
-        print(f"❌ Conflicting rule IDs: {sorted(conflicts)}")
-        sys.exit(1)
-    else:
-        print("✅ No rule ID conflicts.")
+    # Loop through each changed file and check for ID conflicts
+    for path in changed_files:
+        print(f"\n🔎 Checking file: {path.name}")
+        try:
+            content = path.read_text()
+            file_ids = extract_rule_ids_from_xml(content)
+        except Exception as e:
+            print(f"⚠️ Could not read {path.name}: {e}")
+            continue
+        conflicts = file_ids & main_ids
+        if conflicts:
+            print(f"❌ Conflicting rule IDs in {path.name} file. Rule IDs: {sorted(conflicts)}")
+            sys.exit(1)
+        else:
+            print(f"✅ No rule ID conflicts in {path.name}.")
+
+    print("\n✅ All checked files are conflict-free.")
 
 if __name__ == "__main__":
     main()
diff --git a/rules/conflicting _rules.xml b/rules/conflicting _rules.xml
new file mode 100644
index 0000000..f0d090b
--- /dev/null
+++ b/rules/conflicting _rules.xml	
@@ -0,0 +1,19 @@
+<!-- Local rules -->
+
+<!-- Modify it at your will. -->
+<!-- Copyright (C) 2015, Wazuh Inc. -->
+
+<!-- Example -->
+<group name="local,syslog,sshd,">
+
+  <!--
+  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
+  -->
+  <rule id="100001" level="5">
+    <if_sid>5716</if_sid>
+    <srcip>1.1.1.1</srcip>
+    <description>sshd: authentication failed from IP 1.1.1.1.</description>
+    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
+  </rule>
+
+</group>

From e83b83afbe08934c78860271130011200245d685 Mon Sep 17 00:00:00 2001
From: Chris Bassey <chrixsbassey@gmail.com>
Date: Sat, 28 Jun 2025 14:39:45 +0200
Subject: [PATCH 2/2] fixed rule conflicts

---
 rules/conflicting _rules.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/conflicting _rules.xml b/rules/conflicting _rules.xml
index f0d090b..47cca53 100644
--- a/rules/conflicting _rules.xml	
+++ b/rules/conflicting _rules.xml	
@@ -9,7 +9,7 @@
   <!--
   Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
   -->
-  <rule id="100001" level="5">
+  <rule id="100002" level="5">
     <if_sid>5716</if_sid>
     <srcip>1.1.1.1</srcip>
     <description>sshd: authentication failed from IP 1.1.1.1.</description>