{"id":51278038,"url":"https://github.com/karib0u/rustinel-rules","last_synced_at":"2026-06-29T23:01:27.004Z","repository":{"id":362981070,"uuid":"1259720711","full_name":"Karib0u/rustinel-rules","owner":"Karib0u","description":"Official, curated detection content (Sigma, YARA, IOC packs) for the Rustinel endpoint detection engine.","archived":false,"fork":false,"pushed_at":"2026-06-23T06:00:00.000Z","size":1035,"stargazers_count":17,"open_issues_count":1,"forks_count":3,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-06-23T07:24:34.196Z","etag":null,"topics":["blue-team","detection-as-code","detection-engineering","edr","incident-response","ioc","mitre-attack","rustinel","security","sigma","threat-detection","yara"],"latest_commit_sha":null,"homepage":"https://docs.rustinel.io/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Karib0u.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-04T19:41:51.000Z","updated_at":"2026-06-23T06:00:02.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Karib0u/rustinel-rules","commit_stats":null,"previous_names":["karib0u/rustinel-rules"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Karib0u/rustinel-rules","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel-rules","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel-rules/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel-rules/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel-rules/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Karib0u","download_url":"https://codeload.github.com/Karib0u/rustinel-rules/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Karib0u%2Frustinel-rules/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34945707,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-29T02:00:05.398Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["blue-team","detection-as-code","detection-engineering","edr","incident-response","ioc","mitre-attack","rustinel","security","sigma","threat-detection","yara"],"created_at":"2026-06-29T23:01:25.076Z","updated_at":"2026-06-29T23:01:26.947Z","avatar_url":"https://github.com/Karib0u.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"docs/images/logo-rustinel.png\" alt=\"Rustinel logo\" width=\"220\"\u003e\n\u003c/p\u003e\n\n\u003ch1 align=\"center\"\u003erustinel-rules\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003cb\u003eOfficial, curated detection content for the Rustinel endpoint detection engine.\u003c/b\u003e\u003cbr\u003e\n  Ready-to-load \u003cb\u003eSigma\u003c/b\u003e · \u003cb\u003eYARA\u003c/b\u003e · \u003cb\u003eIOC\u003c/b\u003e packs — no glue, no conversion step.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/Karib0u/rustinel-rules/actions/workflows/validate.yml\"\u003e\u003cimg src=\"https://github.com/Karib0u/rustinel-rules/actions/workflows/validate.yml/badge.svg\" alt=\"Validate\"\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/detection--as--code-✓-ff8a3d?style=flat-square\" alt=\"Detection as Code\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/content-Sigma%20·%20YARA%20·%20IOC-ff8a3d?style=flat-square\" alt=\"Sigma · YARA · IOC\"\u003e\n  \u003ca href=\"https://github.com/Karib0u/rustinel\"\u003e\u003cimg src=\"https://img.shields.io/badge/engine-Rustinel-d97835?style=flat-square\u0026logo=rust\" alt=\"Engine: Rustinel\"\u003e\u003c/a\u003e\n  \u003cimg src=\"https://img.shields.io/badge/license-DRL%201.1-ff8a3d?style=flat-square\" alt=\"License: DRL 1.1\"\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/Karib0u/rustinel\"\u003eRustinel engine\u003c/a\u003e ·\n  \u003ca href=\"https://docs.rustinel.io/\"\u003eDocumentation\u003c/a\u003e ·\n  \u003ca href=\"docs/packs.md\"\u003ePack catalog\u003c/a\u003e ·\n  \u003ca href=\"https://github.com/Karib0u/rustinel-rules/releases/latest\"\u003eDownload packs\u003c/a\u003e\n\u003c/p\u003e\n\nThis is the **trusted, versioned, and CI-tested** detection-content repository for Rustinel.\n\n```text\nrustinel        →  the engine that collects telemetry and evaluates rules\nrustinel-rules  →  the Sigma / YARA / IOC packs it loads   (this repo)\n```\n\nEach detection lives **once** in `rules/`, carries a stable `id`, and is referenced from **packs** by that id. CI validates every change and builds flat, zipped packs plus an `index.json` catalog the engine can load directly.\n\n---\n\n## Load a pack in 60 seconds\n\n\u003e Need the engine first? Grab it from the **[Rustinel repo](https://github.com/Karib0u/rustinel)** — then come back here for real detections.\n\n**1. Download** the pack for your OS plus `index.json` from the [latest release](https://github.com/Karib0u/rustinel-rules/releases/latest), and unzip it:\n\n```bash\nunzip windows-essential-0.2.0.zip\n```\n\n**2. Point** `config.toml` at the unzipped pack — a pack folder *is* the directory Rustinel loads:\n\n```toml\n[scanner]\nsigma_rules_path = \"windows-essential/sigma\"\nyara_rules_path  = \"windows-essential/yara\"\n\n[ioc]\nhashes_path      = \"windows-essential/ioc/hashes.txt\"\nips_path         = \"windows-essential/ioc/ips.txt\"\ndomains_path     = \"windows-essential/ioc/domains.txt\"\npaths_regex_path = \"windows-essential/ioc/paths_regex.txt\"\n```\n\n**3. Confirm it works.** The Essential packs ship the **EICAR** test IOC set — drop a standard EICAR test file on disk and Rustinel raises an IOC alert in `logs/alerts.json.\u003cdate\u003e`.\n\n\u003e Packs are **cumulative**, so load **one** pack, not several. The exact paths for every pack are in each pack's `engine` block in `index.json`. Full reference: **[docs/usage.md](docs/usage.md)**.\n\n---\n\n## Packs\n\nHigher levels `extend` the one below, so rules are never duplicated:\n\n```text\nEssential  ⊂  Advanced  ⊂  Hunting\n```\n\n| Pack                  | Level     | Default | Description                                                          |\n| --------------------- | --------- | :-----: | -------------------------------------------------------------------- |\n| **Windows Essential** | essential |   ✅    | Low-noise, high-confidence Windows detections. Safe default.         |\n| **Windows Advanced**  | advanced  |   ❌    | Essential + broader production detections. More FPs may occur.       |\n| **Windows Hunting**   | hunting   |   ❌    | Advanced + broad/noisier hunting content for analysts.               |\n| **Linux Essential**   | essential |   ✅    | Low-noise, high-confidence Linux detections. Safe default.           |\n| **Linux Advanced**    | advanced  |   ❌    | Essential + broader Linux detections (persistence, exec).            |\n| **macOS Essential**   | essential |   ❌    | _Experimental._ Keychain theft, Gatekeeper bypass, cryptominers.     |\n| **macOS Advanced**    | advanced  |   ❌    | _Experimental._ Essential + launch-item persistence, cradles, exec.  |\n\n\u003e **macOS packs are experimental and post-v1** — not yet production-ready, so both ship `default: false`. See [docs/packs.md#macos](docs/packs.md#macos) for current limits.\n\nFull catalog and per-pack rule inventory: **[docs/packs.md](docs/packs.md)**.\n\n---\n\n## Versioning \u0026 compatibility\n\n`rustinel-rules` is versioned **independently** from the engine — detection content evolves faster. Each pack manifest declares the engine version it needs:\n\n```yaml\npack_schema_version: 2\nrequires_rustinel: \"\u003e=1.0.2\"\n```\n\nRelease artifacts ship zip packs, `index.json`, compatibility metadata, and a `sha256` per artifact.\n\n---\n\n## Develop\n\nBuild and validate packs locally with the pinned tooling ([uv](https://docs.astral.sh/uv/)):\n\n```bash\nuv sync                                 # install pinned tooling\nuv run python tools/validate.py         # Detection as Code: must pass\nuv run python tools/build_packs.py      # build dist/\u003cpack\u003e/ + zips + index.json\nuv run python tools/build_catalog.py    # build the website catalog (dist/catalog.json)\n```\n\n```text\nrustinel-rules/\n├── rules/            # Canonical source — each artifact exists ONCE\n│   ├── sigma/\u003cos\u003e/   # Sigma rules (.yml)\n│   ├── yara/\u003cos\u003e/    # YARA rules (.yar)\n│   └── ioc/\u003cos|common\u003e/  # Typed IOC sets (hashes / ips / domains / paths_regex)\n├── packs/            # Pack manifests — reference artifacts by id, never copy\n├── schemas/          # JSON Schema for pack.yml and IOC sets (v1)\n├── tools/            # Build + validation tooling\n├── tests/atomic/     # Atomic firing tests — run the engine on real Linux/Windows/macOS runners\n└── dist/             # Build output (gitignored): packs + zips + index.json\n```\n\nNew detections should be TTP/Atomic-based, mapped to ATT\u0026CK, and compatible with Rustinel telemetry. Start with **[docs/authoring.md](docs/authoring.md)** and **[CONTRIBUTING.md](CONTRIBUTING.md)**.\n\n---\n\n## Guiding principles\n\n- Start small — a few proven detections beat many noisy ones.\n- Keep Essential strict and low-FP; no noisy defaults.\n- Each rule lives once; packs reference it by id.\n- Keep Rustinel usable out of the box, with quality made visible through CI.\n- Prefer TTP / telemetry-based curation; use CTI to **prioritize**, not to bulk-import.\n\n---\n\n## Documentation\n\n| Doc | What's inside |\n| --- | ------------- |\n| **[docs/index.md](docs/index.md)** | Documentation map / start here |\n| **[docs/usage.md](docs/usage.md)** | Installing packs and the `config.toml` reference |\n| **[docs/packs.md](docs/packs.md)** | Pack catalog and the full rule inventory |\n| **[docs/rustinel-support.md](docs/rustinel-support.md)** | What Rustinel supports: telemetry, fields, Sigma operators, YARA, IOC |\n| **[docs/authoring.md](docs/authoring.md)** | Writing rules that load and fire on Rustinel |\n| **[docs/repository.md](docs/repository.md)** | Artifact model, packs, and the build pipeline |\n| **[docs/detection-as-code.md](docs/detection-as-code.md)** | CI checks and the dynamic-testing policy |\n\n---\n\n## License\n\nSee [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkarib0u%2Frustinel-rules","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fkarib0u%2Frustinel-rules","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fkarib0u%2Frustinel-rules/lists"}