{"id":50033708,"url":"https://github.com/Karib0u/rustinel","last_synced_at":"2026-06-06T13:00:47.335Z","repository":{"id":335746158,"uuid":"1146898804","full_name":"Karib0u/rustinel","owner":"Karib0u","description":"Open-source endpoint detection engine for Windows and Linux using ETW, eBPF, Sigma, YARA, IOCs, and ECS NDJSON alerts.","archived":false,"fork":false,"pushed_at":"2026-05-31T08:40:19.000Z","size":2664,"stargazers_count":341,"open_issues_count":13,"forks_count":36,"subscribers_count":7,"default_branch":"main","last_synced_at":"2026-05-31T10:08:59.207Z","etag":null,"topics":["blue-team","detection-engineering","ebpf","edr","endpoint-detection","endpoint-security","etw","incident-response","linux","linux-security","malware-detection","rust","security-monitoring","security-tools","siem","sigma","sysmon","threat-detection","windows-security","yara"],"latest_commit_sha":null,"homepage":"https://docs.rustinel.io","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Karib0u.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/roadmap.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-01-31T21:27:43.000Z","updated_at":"2026-05-31T08:40:23.000Z","dependencies_parsed_at":null,"dependency_job_id":"01b70d11-cc04-4375-93a7-03eba7f9a9b5","html_url":"https://github.com/Karib0u/rustinel","commit_stats":null,"previous_names":["karib0u/rustinel"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/Karib0u/rustinel","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Karib0u","download_url":"https://codeload.github.com/Karib0u/rustinel/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33983046,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-06T02:00:07.033Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","detection-engineering","ebpf","edr","endpoint-detection","endpoint-security","etw","incident-response","linux","linux-security","malware-detection","rust","security-monitoring","security-tools","siem","sigma","sysmon","threat-detection","windows-security","yara"],"created_at":"2026-05-20T23:00:37.280Z","updated_at":"2026-06-06T13:00:47.324Z","avatar_url":"https://github.com/Karib0u.png","language":"Rust","funding_links":[],"categories":["Logging, Monitoring \u0026 Data Sources"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/images/logo-rustinel.png\" alt=\"Rustinel logo\" width=\"280\"\u003e\n\u003c/p\u003e\n\n# Rustinel\n\n**Open-source endpoint detection for Windows, Linux, and macOS**\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/Karib0u/rustinel/actions/workflows/ci-cd.yml\"\u003e\u003cimg src=\"https://github.com/Karib0u/rustinel/actions/workflows/ci-cd.yml/badge.svg?style=flat-square\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Karib0u/rustinel/releases/latest\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/Karib0u/rustinel?style=flat-square\u0026color=ff8a3d\" alt=\"Latest release\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Karib0u/rustinel/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/downloads/Karib0u/rustinel/total?style=flat-square\u0026color=ff8a3d\" alt=\"Downloads\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/Karib0u/rustinel/stargazers\"\u003e\u003cimg src=\"https://img.shields.io/github/stars/Karib0u/rustinel?style=flat-square\u0026color=ff8a3d\" alt=\"Stars\"\u003e\u003c/a\u003e\n  \u003cbr\u003e\n  \u003cimg src=\"https://img.shields.io/badge/platform-Windows%20ETW-blue?style=flat-square\u0026logo=windows\" alt=\"Platform Windows ETW\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/platform-Linux%20eBPF-orange?style=flat-square\u0026logo=linux\" alt=\"Platform Linux eBPF\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/platform-macOS%20ESF-black?style=flat-square\u0026logo=apple\" alt=\"Platform macOS ESF\"\u003e\n  \u003ca href=\"https://docs.rustinel.io/\"\u003e\u003cimg src=\"https://img.shields.io/badge/docs-rustinel.io-d97835?style=flat-square\" alt=\"Docs\"\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/license-Apache%202.0-ff8a3d?style=flat-square\" alt=\"License\"\u003e\n\u003c/p\u003e\n\n[Official site](https://rustinel.io/) · [Documentation](https://docs.rustinel.io/) · [Latest Release](https://github.com/Karib0u/rustinel/releases/latest) · [SIEM demos](docs/siem-demos.md)\n\nRustinel is an open-source endpoint detection project for **Windows**, **Linux**, and **macOS**.\n\nIt collects native host telemetry using **ETW** on Windows, **eBPF** on Linux, and **Endpoint Security** plus **`/dev/bpf`** on macOS, normalizes events into a shared model, evaluates **Sigma**, **YARA**, and **IOC** detections, writes **ECS NDJSON** alerts, and can optionally terminate malicious processes.\n\nThe goal is simple: give blue teams, researchers, and detection engineers a transparent endpoint detection engine they can inspect, run, test, and extend.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/images/demo.gif\" alt=\"Rustinel Demo\" width=\"900\"\u003e\n\u003c/p\u003e\n\n---\n\n## Try the latest release\n\nUse this path if you want to see a first alert quickly. The release archives\ninclude `config.toml`, bundled demo rules, IOC files, and an empty `logs/`\ndirectory.\n\n### Linux\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh | sh -s -- --run\n```\n\nPrefer to inspect first:\n\n```bash\ncurl -fsSLO https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh\nless install.sh\nsh install.sh --run\n```\n\n### Windows\n\nRun from an elevated PowerShell:\n\n```powershell\nInvoke-WebRequest https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.ps1 -OutFile install-rustinel.ps1\npowershell -ExecutionPolicy Bypass -File .\\install-rustinel.ps1 -Run\n```\n\nThen trigger the bundled demo rule:\n\n```text\nLinux:   whoami\nWindows: whoami /all\n```\n\nAlerts are written to `logs/alerts.json.\u003cdate\u003e`. To ingest them locally, use the\n[Elastic and Splunk demos](docs/siem-demos.md).\n\nThe install scripts only install published release binaries. They do not install\nRust, Cargo, or build from source. If your OS or architecture has no release\nasset, they exit with a link to the [source build path](docs/getting-started.md#compile-from-source).\n\nPrefer manual downloads? Use the [latest GitHub Release](https://github.com/Karib0u/rustinel/releases/latest).\n\n---\n\n## Why Rustinel exists\n\nRustinel was created because there was a real gap in the open-source endpoint detection space.\n\nThe project aims to combine:\n\n- Native Windows telemetry through **ETW**\n- Native Linux telemetry through **eBPF**\n- A single cross-platform detection pipeline\n- Support for community detection formats like **Sigma** and **YARA**\n- IOC matching for hashes, IPs, domains, and path regexes\n- ECS NDJSON alert output for SIEM-friendly ingestion\n- A performant, memory-safe implementation in **Rust**\n\nSome tools solve parts of this problem, but Rustinel brings these pieces together in one transparent and extensible agent.\n\nRustinel is not trying to hide behind a black box. The project is designed so defenders can understand exactly what telemetry is collected, how detections are evaluated, and where the current limits are.\n\n---\n\n## What Rustinel does today\n\nRustinel currently provides:\n\n- Windows telemetry collection through ETW\n- Linux telemetry collection through eBPF\n- macOS telemetry collection through Endpoint Security and `/dev/bpf`\n- A shared event model across supported platforms\n- Sigma rule evaluation on normalized events\n- YARA scanning on process creation\n- IOC matching for file hashes, IPs, domains, and path regexes\n- ECS NDJSON alert output\n- Hot reload for rules and indicator files\n- Optional active response with dry-run and allowlists\n- Windows service support\n- Linux foreground execution under root or a supervisor of your choice\n- macOS foreground execution under root, or a launchd daemon\n\n---\n\n## Architecture\n\n```text\nWindows hosts        Linux hosts        macOS hosts\n   ETW                  eBPF             ESF + /dev/bpf\n    |                    |                    |\n    +--------------------+--------------------+\n                    |\n          Normalized event model\n                    |\n        +-----------+-----------+\n        |           |           |\n      Sigma        YARA        IOC\n   behavior     process      hashes,\n   rules        creation     IPs,\n                scanning     domains,\n                             path regexes\n        |           |           |\n        +-----------+-----------+\n                    |\n             ECS NDJSON alerts\n                    |\n          Optional active response\n```\n\n---\n\n## Detection model\n\nRustinel combines three detection layers.\n\n### Sigma\n\nSigma is used for behavioral detections on normalized endpoint events.\n\nExamples include:\n\n- Suspicious PowerShell activity\n- WMI execution\n- Service creation\n- Scheduled task creation\n- Suspicious process execution\n- Linux process, network, file, and DNS query activity\n\nSigma support makes Rustinel practical for detection engineers because existing community rules can be reused and adapted instead of being rewritten into a proprietary format.\n\n### YARA\n\nYARA is used for file and tooling detection.\n\nToday, Rustinel scans executables on process creation. This provides a practical high-signal scanning point without trying to behave like a full antivirus engine scanning everything on disk all the time.\n\nYARA memory scanning is also supported, targeting private executable regions to detect packed, obfuscated, or runtime-unpacked payloads.\n\n### IOC matching\n\nIOC matching provides fast deterministic checks against:\n\n- File hashes\n- IP addresses\n- Domains\n- Path regexes\n\nIOC matching is useful for threat intelligence and incident response, but it is strongest when combined with behavioral detections and YARA scanning. Domain IOCs can match DNS `QueryName` on Windows, Linux, and macOS; Linux covers outbound plaintext DNS queries observed by eBPF, and macOS covers plaintext DNS queries observed via `/dev/bpf` capture.\n\n---\n\n## Platform support\n\n| Platform | Sensor | Current coverage | Runtime model |\n| --- | --- | --- | --- |\n| Windows 10/11, Server 2016+ | ETW | Process, image load, network, file, registry, DNS, PowerShell, WMI, service, task | Foreground run or built-in Windows service commands |\n| Linux 5.8+ with BTF | eBPF | Process, network, file, DNS | Foreground run under root or your supervisor of choice |\n| macOS 11+ | Endpoint Security + `/dev/bpf` | Process, file, network, DNS | Experimental; foreground run under root (signed/entitled or SIP relaxed) or a launchd daemon |\n\nWindows telemetry coverage is broader today. Linux and macOS support currently focus on process, network, file, and DNS telemetry. Linux DNS events include outbound plaintext DNS `QueryName`; DNS response answers (`QueryResults`) are not parsed yet. macOS collects process and file events through Endpoint Security and network and DNS through `/dev/bpf` capture; network events are attributed to a process on a best-effort basis.\n\nmacOS support is experimental while the project waits for the required Endpoint Security Framework entitlement.\n\n---\n\n## 60-second demo\n\nDownload Rustinel, start the agent, trigger a test command, and inspect the generated alert.\n\n### Windows\n\n```powershell\ncd .\\rustinel-\u003cversion\u003e-x86_64-pc-windows-msvc\n.\\rustinel.exe run\nwhoami /all\ntype .\\logs\\alerts.json.*\n```\n\n### Linux\n\n```bash\ncd rustinel-\u003cversion\u003e-x86_64-unknown-linux-musl\nsudo ./rustinel run\nwhoami\ncat logs/alerts.json.*\n```\n\n### macOS\n\n```bash\ncd rustinel-\u003cversion\u003e-aarch64-apple-darwin\nsudo ./rustinel run\nwhoami\ncat logs/alerts.json.*\n```\n\nCreating an Endpoint Security client requires root and the\n`com.apple.developer.endpoint-security.client` entitlement on signed,\nnotarized builds. For local testing you can run with SIP/AMFI relaxed. See the\n[development docs](docs/development.md) for ad-hoc signing steps.\n\nThe bundled demo rules are intended to validate that telemetry collection, rule evaluation, and alert output are working.\n\n---\n\n## Quick start\n\nDownload the release package for your platform from [GitHub Releases](https://github.com/Karib0u/rustinel/releases) and extract it.\n\n### Windows\n\nDownload:\n\n```text\nrustinel-\u003cversion\u003e-x86_64-pc-windows-msvc.zip\n```\n\nExtract it, then run:\n\n```powershell\ncd .\\rustinel-\u003cversion\u003e-x86_64-pc-windows-msvc\n.\\rustinel.exe run\nwhoami /all\n```\n\nThe bundled Sigma demo rule should write an alert to:\n\n```text\nlogs/alerts.json.\u003cdate\u003e\n```\n\n### Linux\n\nChoose the archive that matches your architecture:\n\n```text\nrustinel-\u003cversion\u003e-x86_64-unknown-linux-musl.tar.gz\nrustinel-\u003cversion\u003e-aarch64-unknown-linux-musl.tar.gz\n```\n\nExtract and run:\n\n```bash\ntar xzf rustinel-\u003cversion\u003e-x86_64-unknown-linux-musl.tar.gz\ncd rustinel-\u003cversion\u003e-x86_64-unknown-linux-musl\nsudo ./rustinel run\nwhoami\n```\n\nIf startup fails with `tracefs not found`, mount the tracing filesystems and retry:\n\n```bash\nmount -t tracefs tracefs /sys/kernel/tracing\nmount -t debugfs debugfs /sys/kernel/debug\n```\n\nThe bundled Sigma demo rule should write an alert to:\n\n```text\nlogs/alerts.json.\u003cdate\u003e\n```\n\n### macOS\n\nChoose the archive that matches your architecture:\n\n```text\nrustinel-\u003cversion\u003e-aarch64-apple-darwin.tar.gz\nrustinel-\u003cversion\u003e-x86_64-apple-darwin.tar.gz\n```\n\nExtract and run as root:\n\n```bash\ntar xzf rustinel-\u003cversion\u003e-aarch64-apple-darwin.tar.gz\ncd rustinel-\u003cversion\u003e-aarch64-apple-darwin\nsudo ./rustinel run\n```\n\nIf startup fails with `NotPrivileged`, the Endpoint Security client could not be\ncreated: run as root with a signed, entitled build, or relax SIP/AMFI for local\ntesting. A `com.rustinel.agent.plist` LaunchDaemon is included for persistent\ndeployment.\n\n---\n\n## Build from source\n\nIf you prefer to build locally instead of using a published release, use `cargo build --release`.\n\n### Windows\n\n```powershell\ncargo build --release\n.\\target\\release\\rustinel.exe run\n```\n\n### Linux\n\n```bash\ncargo build --release\nsudo ./target/release/rustinel run\n```\n\n### macOS\n\n```bash\ncargo build --release\ncodesign --force --sign - \\\n  --entitlements packaging/macos/rustinel.entitlements \\\n  target/release/rustinel\nsudo ./target/release/rustinel run\n```\n\nAd-hoc signing with the entitlement only takes effect when SIP/AMFI is relaxed;\ndistributable builds require a Developer ID and notarization.\n\nFor full release setup, source-build prerequisites, and validation steps, see the [Getting Started](https://docs.rustinel.io/getting-started/) documentation.\n\n---\n\n## Output\n\nRustinel writes operational logs and alerts to disk.\n\n```text\nlogs/rustinel.log.\u003cdate\u003e\nlogs/alerts.json.\u003cdate\u003e\n```\n\nAlert format:\n\n```text\nECS 9.3.0 NDJSON\n```\n\nThis makes Rustinel alerts easy to ingest into SIEM and log pipelines.\n\n---\n\n## Best for\n\nRustinel is currently best suited for:\n\n- Lab deployments and evaluations\n- Detection engineering\n- Rule development and testing\n- Blue teams that want transparent host telemetry\n- Cross-platform detection research\n- SIEM pipeline testing\n- Learning how ETW, eBPF, Sigma, YARA, and IOCs can fit together\n\n---\n\n## What Rustinel is not\n\nRustinel is not a full replacement for every capability of a mature commercial EDR.\n\nToday, Rustinel does not try to provide the same kernel-level self-protection, pre-execution blocking, anti-tamper guarantees, or managed response capabilities that commercial EDR products may provide.\n\nA sufficiently privileged attacker may be able to interfere with user-mode components or telemetry sources. Kernel-level threats, telemetry tampering, and heavily obfuscated activity may require additional controls or future Rustinel capabilities.\n\nRustinel is designed as a transparent open-source detection engine focused on telemetry collection, rule-based detection, alert generation, and research.\n\n---\n\n## Roadmap\n\nNear-term focus is on first-run experience, a curated detection pack, and deployment reliability. Telemetry expansion and advanced EDR capabilities come after the basics are solid.\n\nSee the [full roadmap](docs/roadmap.md) for details.\n\n---\n\n## Documentation\n\n- [Official Site](https://rustinel.io/)\n- [Documentation Home](https://docs.rustinel.io/)\n- [Getting Started](https://docs.rustinel.io/getting-started/)\n- [Configuration](https://docs.rustinel.io/configuration/)\n- [Detection](https://docs.rustinel.io/detection/)\n- [Architecture](https://docs.rustinel.io/architecture/)\n- [Development](https://docs.rustinel.io/development/)\n- [Operations and Upgrade Guide](https://docs.rustinel.io/operations/)\n- [Troubleshooting](https://docs.rustinel.io/troubleshooting/)\n- [FAQ](https://docs.rustinel.io/faq/)\n\n---\n\n## Contributing\n\nContributions, testing, feedback, and detection ideas are welcome. See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.\n\n---\n\n## License\n\nApache 2.0. See [`LICENSE`](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKarib0u%2Frustinel","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FKarib0u%2Frustinel","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FKarib0u%2Frustinel/lists"}