https://github.com/karib0u/rustinel-rules

Official, curated detection content (Sigma, YARA, IOC packs) for the Rustinel endpoint detection engine.
https://github.com/karib0u/rustinel-rules

blue-team detection-as-code detection-engineering edr incident-response ioc mitre-attack rustinel security sigma threat-detection yara

Last synced: about 5 hours ago
JSON representation

Official, curated detection content (Sigma, YARA, IOC packs) for the Rustinel endpoint detection engine.

• Host: GitHub
• URL: https://github.com/karib0u/rustinel-rules
• Owner: Karib0u
• License: other
• Created: 2026-06-04T19:41:51.000Z (25 days ago)
• Default Branch: main
• Last Pushed: 2026-06-23T06:00:00.000Z (7 days ago)
• Last Synced: 2026-06-23T07:24:34.196Z (7 days ago)
• Topics: blue-team, detection-as-code, detection-engineering, edr, incident-response, ioc, mitre-attack, rustinel, security, sigma, threat-detection, yara
• Language: Python
• Homepage: https://docs.rustinel.io/
• Size: 1010 KB
• Stars: 17
• Watchers: 1
• Forks: 3
• Open Issues: 1
• Metadata Files:
  • Readme: README.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE

Awesome Lists containing this project

README

          


  



rustinel-rules




  Official, curated detection content for the Rustinel endpoint detection engine.


  Ready-to-load Sigma · YARA · IOC packs — no glue, no conversion step.





  

  

  

  

  





  Rustinel engine ·

  Documentation ·

  Pack catalog ·

  Download packs



This is the **trusted, versioned, and CI-tested** detection-content repository for Rustinel.

```text

rustinel        →  the engine that collects telemetry and evaluates rules

rustinel-rules  →  the Sigma / YARA / IOC packs it loads   (this repo)

```

Each detection lives **once** in `rules/`, carries a stable `id`, and is referenced from **packs** by that id. CI validates every change and builds flat, zipped packs plus an `index.json` catalog the engine can load directly.

---

## Load a pack in 60 seconds

> Need the engine first? Grab it from the **[Rustinel repo](https://github.com/Karib0u/rustinel)** — then come back here for real detections.

**1. Download** the pack for your OS plus `index.json` from the [latest release](https://github.com/Karib0u/rustinel-rules/releases/latest), and unzip it:

```bash

unzip windows-essential-0.2.0.zip

```

**2. Point** `config.toml` at the unzipped pack — a pack folder *is* the directory Rustinel loads:

```toml

[scanner]

sigma_rules_path = "windows-essential/sigma"

yara_rules_path  = "windows-essential/yara"

[ioc]

hashes_path      = "windows-essential/ioc/hashes.txt"

ips_path         = "windows-essential/ioc/ips.txt"

domains_path     = "windows-essential/ioc/domains.txt"

paths_regex_path = "windows-essential/ioc/paths_regex.txt"

```

**3. Confirm it works.** The Essential packs ship the **EICAR** test IOC set — drop a standard EICAR test file on disk and Rustinel raises an IOC alert in `logs/alerts.json.`.

> Packs are **cumulative**, so load **one** pack, not several. The exact paths for every pack are in each pack's `engine` block in `index.json`. Full reference: **[docs/usage.md](docs/usage.md)**.

---

## Packs

Higher levels `extend` the one below, so rules are never duplicated:

```text

Essential  ⊂  Advanced  ⊂  Hunting

```

| Pack                  | Level     | Default | Description                                                          |

| --------------------- | --------- | :-----: | -------------------------------------------------------------------- |

| **Windows Essential** | essential |   ✅    | Low-noise, high-confidence Windows detections. Safe default.         |

| **Windows Advanced**  | advanced  |   ❌    | Essential + broader production detections. More FPs may occur.       |

| **Windows Hunting**   | hunting   |   ❌    | Advanced + broad/noisier hunting content for analysts.               |

| **Linux Essential**   | essential |   ✅    | Low-noise, high-confidence Linux detections. Safe default.           |

| **Linux Advanced**    | advanced  |   ❌    | Essential + broader Linux detections (persistence, exec).            |

| **macOS Essential**   | essential |   ❌    | _Experimental._ Keychain theft, Gatekeeper bypass, cryptominers.     |

| **macOS Advanced**    | advanced  |   ❌    | _Experimental._ Essential + launch-item persistence, cradles, exec.  |

> **macOS packs are experimental and post-v1** — not yet production-ready, so both ship `default: false`. See [docs/packs.md#macos](docs/packs.md#macos) for current limits.

Full catalog and per-pack rule inventory: **[docs/packs.md](docs/packs.md)**.

---

## Versioning & compatibility

`rustinel-rules` is versioned **independently** from the engine — detection content evolves faster. Each pack manifest declares the engine version it needs:

```yaml

pack_schema_version: 2

requires_rustinel: ">=1.0.2"

```

Release artifacts ship zip packs, `index.json`, compatibility metadata, and a `sha256` per artifact.

---

## Develop

Build and validate packs locally with the pinned tooling ([uv](https://docs.astral.sh/uv/)):

```bash

uv sync                                 # install pinned tooling

uv run python tools/validate.py         # Detection as Code: must pass

uv run python tools/build_packs.py      # build dist// + zips + index.json

uv run python tools/build_catalog.py    # build the website catalog (dist/catalog.json)

```

```text

rustinel-rules/

├── rules/            # Canonical source — each artifact exists ONCE

│   ├── sigma//   # Sigma rules (.yml)

│   ├── yara//    # YARA rules (.yar)

│   └── ioc//  # Typed IOC sets (hashes / ips / domains / paths_regex)

├── packs/            # Pack manifests — reference artifacts by id, never copy

├── schemas/          # JSON Schema for pack.yml and IOC sets (v1)

├── tools/            # Build + validation tooling

├── tests/atomic/     # Atomic firing tests — run the engine on real Linux/Windows/macOS runners

└── dist/             # Build output (gitignored): packs + zips + index.json

```

New detections should be TTP/Atomic-based, mapped to ATT&CK, and compatible with Rustinel telemetry. Start with **[docs/authoring.md](docs/authoring.md)** and **[CONTRIBUTING.md](CONTRIBUTING.md)**.

---

## Guiding principles

- Start small — a few proven detections beat many noisy ones.

- Keep Essential strict and low-FP; no noisy defaults.

- Each rule lives once; packs reference it by id.

- Keep Rustinel usable out of the box, with quality made visible through CI.

- Prefer TTP / telemetry-based curation; use CTI to **prioritize**, not to bulk-import.

---

## Documentation

| Doc | What's inside |

| --- | ------------- |

| **[docs/index.md](docs/index.md)** | Documentation map / start here |

| **[docs/usage.md](docs/usage.md)** | Installing packs and the `config.toml` reference |

| **[docs/packs.md](docs/packs.md)** | Pack catalog and the full rule inventory |

| **[docs/rustinel-support.md](docs/rustinel-support.md)** | What Rustinel supports: telemetry, fields, Sigma operators, YARA, IOC |

| **[docs/authoring.md](docs/authoring.md)** | Writing rules that load and fire on Rustinel |

| **[docs/repository.md](docs/repository.md)** | Artifact model, packs, and the build pipeline |

| **[docs/detection-as-code.md](docs/detection-as-code.md)** | CI checks and the dynamic-testing policy |

---

## License

See [LICENSE](LICENSE).