Official, curated detection content for the Rustinel endpoint detection engine.
Ready-to-load Sigma · YARA · IOC packs — no glue, no conversion step.
Rustinel engine · Documentation · Pack catalog · Download packs
This is the trusted, versioned, and CI-tested detection-content repository for Rustinel.
rustinel → the engine that collects telemetry and evaluates rules
rustinel-rules → the Sigma / YARA / IOC packs it loads (this repo)
Each detection lives once in rules/, carries a stable id, and is referenced from packs by that id. CI validates every change and builds flat, zipped packs plus an index.json catalog the engine can load directly.
Need the engine first? Grab it from the Rustinel repo — then come back here for real detections.
1. Download the pack for your OS plus index.json from the latest release, and unzip it:
unzip windows-essential-0.2.0.zip2. Point config.toml at the unzipped pack — a pack folder is the directory Rustinel loads:
[scanner]
sigma_rules_path = "windows-essential/rules/sigma"
yara_rules_path = "windows-essential/rules/yara"
[ioc]
hashes_path = "windows-essential/rules/ioc/hashes.txt"
ips_path = "windows-essential/rules/ioc/ips.txt"
domains_path = "windows-essential/rules/ioc/domains.txt"
paths_regex_path = "windows-essential/rules/ioc/paths_regex.txt"3. Confirm it works. The Essential packs ship the EICAR test IOC set — drop a standard EICAR test file on disk and Rustinel raises an IOC alert in logs/alerts.json.<date>.
Packs are cumulative, so load one pack, not several. The exact paths for every pack are in each pack's
engineblock inindex.json. Full reference: docs/usage.md.
Higher levels extend the one below, so rules are never duplicated:
Essential ⊂ Advanced ⊂ Hunting
| Pack | Level | Default | Description |
|---|---|---|---|
| Windows Essential | essential | ✅ | Low-noise, high-confidence Windows detections. Safe default. |
| Windows Advanced | advanced | ❌ | Essential + broader production detections. More FPs may occur. |
| Windows Hunting | hunting | ❌ | Advanced + broad/noisier hunting content for analysts. |
| Linux Essential | essential | ✅ | Low-noise, high-confidence Linux detections. Safe default. |
| Linux Advanced | advanced | ❌ | Essential + broader Linux detections (persistence, exec). |
| macOS Essential | essential | ❌ | Experimental. Keychain theft, Gatekeeper bypass, cryptominers. |
| macOS Advanced | advanced | ❌ | Experimental. Essential + launch-item persistence, cradles, exec. |
macOS packs are experimental and post-v1 — not yet production-ready, so both ship
default: false. See docs/packs.md#macos for current limits.
Full catalog and per-pack rule inventory: docs/packs.md.
rustinel-rules is versioned independently from the engine — detection content evolves faster. Each pack manifest declares the engine version it needs:
pack_schema_version: 1
requires_rustinel: ">=1.0.2"Release artifacts ship zip packs, index.json, compatibility metadata, and a sha256 per artifact.
Build and validate packs locally with the pinned tooling (uv):
uv sync # install pinned tooling
uv run python tools/validate.py # Detection as Code: must pass
uv run python tools/build_packs.py # build dist/<pack>/ + zips + index.json
uv run python tools/build_catalog.py # build the website catalog (dist/catalog.json)rustinel-rules/
├── rules/ # Canonical source — each artifact exists ONCE
│ ├── sigma/<os>/ # Sigma rules (.yml)
│ ├── yara/<os>/ # YARA rules (.yar)
│ └── ioc/<os|common>/ # Typed IOC sets (hashes / ips / domains / paths_regex)
├── packs/ # Pack manifests — reference artifacts by id, never copy
├── schemas/ # JSON Schema for pack.yml and IOC sets (v1)
├── tools/ # Build + validation tooling
└── dist/ # Build output (gitignored): packs + zips + index.json
New detections should be TTP/Atomic-based, mapped to ATT&CK, and compatible with Rustinel telemetry. Start with docs/authoring.md and CONTRIBUTING.md.
- Start small — a few proven detections beat many noisy ones.
- Keep Essential strict and low-FP; no noisy defaults.
- Each rule lives once; packs reference it by id.
- Keep Rustinel usable out of the box, with quality made visible through CI.
- Prefer TTP / telemetry-based curation; use CTI to prioritize, not to bulk-import.
| Doc | What's inside |
|---|---|
| docs/index.md | Documentation map / start here |
| docs/usage.md | Installing packs and the config.toml reference |
| docs/packs.md | Pack catalog and the full rule inventory |
| docs/rustinel-support.md | What Rustinel supports: telemetry, fields, Sigma operators, YARA, IOC |
| docs/authoring.md | Writing rules that load and fire on Rustinel |
| docs/repository.md | Artifact model, packs, and the build pipeline |
| docs/detection-as-code.md | CI checks and the dynamic-testing policy |
See LICENSE.