pack.yml schema standartization

README.md

@@ -49,14 +49,14 @@ unzip windows-essential-0.2.0.zip
 
 ```toml
 [scanner]
-sigma_rules_path = "windows-essential/rules/sigma"
-yara_rules_path  = "windows-essential/rules/yara"
+sigma_rules_path = "windows-essential/sigma"
+yara_rules_path  = "windows-essential/yara"
 
 [ioc]
-hashes_path      = "windows-essential/rules/ioc/hashes.txt"
-ips_path         = "windows-essential/rules/ioc/ips.txt"
-domains_path     = "windows-essential/rules/ioc/domains.txt"
-paths_regex_path = "windows-essential/rules/ioc/paths_regex.txt"
+hashes_path      = "windows-essential/ioc/hashes.txt"
+ips_path         = "windows-essential/ioc/ips.txt"
+domains_path     = "windows-essential/ioc/domains.txt"
+paths_regex_path = "windows-essential/ioc/paths_regex.txt"
 ```
 
 **3. Confirm it works.** The Essential packs ship the **EICAR** test IOC set — drop a standard EICAR test file on disk and Rustinel raises an IOC alert in `logs/alerts.json.<date>`.
@@ -94,7 +94,7 @@ Full catalog and per-pack rule inventory: **[docs/packs.md](docs/packs.md)**.
 `rustinel-rules` is versioned **independently** from the engine — detection content evolves faster. Each pack manifest declares the engine version it needs:
 
 ```yaml
-pack_schema_version: 1
+pack_schema_version: 2
 requires_rustinel: ">=1.0.2"
 ```
 

docs/authoring.md

@@ -93,7 +93,9 @@ Then add the `id` to a pack, e.g. `packs/windows/essential/pack.yml`:
 
 ```yaml
 rules:
-  - 7f3a1c2e-4b5d-4e6f-8a90-1b2c3d4e5f60   # Suspicious Encoded PowerShell Command Line
+  has:
+    sigma:
+      - 7f3a1c2e-4b5d-4e6f-8a90-1b2c3d4e5f60   # Suspicious Encoded PowerShell Command Line
 ```
 
 ---

docs/packs.md

@@ -18,7 +18,7 @@ Essential  ⊂  Advanced  ⊂  Hunting
 | [macOS Essential](#macos-essential) | essential | ❌ | low | experimental |
 | [macOS Advanced](#macos-advanced) | advanced | ❌ | medium | experimental |
 
-> All packs declare `requires_rustinel: ">=1.0.2"`, `pack_schema_version: 1`, and license
+> All packs declare `pack_schema_version: 2`, `requires_rustinel: ">=1.0.2"`, and license
 > `DRL-1.1`. `status: experimental` reflects the early state of v1 content — expect curation to
 > tighten as coverage grows.
 

docs/repository.md

@@ -53,9 +53,11 @@ Key manifest fields:
 | `id` / `name` | Stable id (`^[a-z0-9]+(-[a-z0-9]+)*$`) and human name. |
 | `os` | `windows` \| `linux` \| `macos`. |
 | `level` | `essential` \| `advanced` \| `hunting`. |
+| `pack_schema_version` | Required pack manifest schema version (must be `2`). |
 | `default` | Whether this pack is enabled by default. |
 | `extends` | Pack ids cumulatively included (rules merged, never duplicated). |
-| `rules` | Artifact ids added by *this* pack. |
+| `rules` | Optional dictionary specifying rules directly in this pack (`has`), or rules to include (`includes`) / exclude (`excludes`) from extended packs or automatic sources. |
+| `sources` | Optional dictionary of upstream sources categorized by type (`manual`, `sigma`, `yara`). |
 | `requires_rustinel` | Engine version constraint, e.g. `">=1.0.2"`. |
 | `attack_coverage` | ATT&CK technique ids covered (drift-checked against members). |
 | `telemetry_requirements` | Rustinel telemetry channels the pack needs. |
@@ -82,18 +84,17 @@ dist/
 ├── catalog.json                     # Website catalog: rules, ATT&CK techniques, packs
 ├── windows-essential/               # Materialized flat pack folder (engine drop-in)
 │   ├── pack.yml                      # Cleaned manifest + build metadata (version, counts)
-│   └── rules/
-│       ├── sigma/                    # .yml  -> scanner.sigma_rules_path
-│       ├── yara/                     # .yar  -> scanner.yara_rules_path
-│       └── ioc/                      # hashes.txt / ips.txt / domains.txt / paths_regex.txt
+│   ├── sigma/                        # .yml  -> scanner.sigma_rules_path
+│   ├── yara/                         # .yar  -> scanner.yara_rules_path
+│   └── ioc/                          # hashes.txt / ips.txt / domains.txt / paths_regex.txt
 ├── windows-essential-<version>.zip   # Rustinel-compatible artifact
 └── ...
 ```
 
 What the build does for each pack:
 
-1. **Resolves** the cumulative rule list (`extends` + `rules`, de-duplicated).
-2. **Copies** each Sigma/YARA file into the flat `rules/sigma` and `rules/yara` folders.
+1. **Resolves** the cumulative rule list (`extends` + `rules` with `has`/`includes`/`excludes` or pack subfolders, de-duplicated).
+2. **Copies** each Sigma/YARA file into the flat `sigma` and `yara` folders.
 3. **Flattens** every referenced IOC set into the four per-type files in `VALUE;COMMENT` format,
    prefixing each line with its source set id (`[ioc-…]`) so provenance survives into alerts.
 4. **Writes** a cleaned `pack.yml` with build metadata and zips the folder.
@@ -131,12 +132,12 @@ automatically:
   "sha256": "…",
   "artifact": "windows-essential-0.2.0.zip",
   "engine": {
-    "sigma_rules_path": "windows-essential/rules/sigma",
-    "yara_rules_path": "windows-essential/rules/yara",
-    "hashes_path": "windows-essential/rules/ioc/hashes.txt",
-    "ips_path": "windows-essential/rules/ioc/ips.txt",
-    "domains_path": "windows-essential/rules/ioc/domains.txt",
-    "paths_regex_path": "windows-essential/rules/ioc/paths_regex.txt"
+    "sigma_rules_path": "windows-essential/sigma",
+    "yara_rules_path": "windows-essential/yara",
+    "hashes_path": "windows-essential/ioc/hashes.txt",
+    "ips_path": "windows-essential/ioc/ips.txt",
+    "domains_path": "windows-essential/ioc/domains.txt",
+    "paths_regex_path": "windows-essential/ioc/paths_regex.txt"
   }
 }
 ```

docs/usage.md

@@ -18,11 +18,13 @@ dist/
 ├── index.json
 ├── windows-essential/            # <- drop-in folder
 │   ├── pack.yml
-│   └── rules/{sigma,yara,ioc}/
-└── windows-essential-0.2.0.zip   # <- distributable artifact
+│   ├── sigma/
+│   ├── yara/
+│   └── ioc/
+└── windows-essential-0.1.0.zip   # <- distributable artifact
 ```
 
-Pass `--version X.Y.Z` to `build_packs.py` to stamp a release version (default `0.2.0`).
+Pass `--version X.Y.Z` to `build_packs.py` to stamp a release version (default `0.1.0`).
 
 ## 2. Point `config.toml` at the pack
 
@@ -32,16 +34,16 @@ Use the paths from the pack's `engine` block in `dist/index.json` (shown here fo
 ```toml
 [scanner]
 sigma_enabled    = true
-sigma_rules_path = "windows-essential/rules/sigma"
+sigma_rules_path = "windows-essential/sigma"
 yara_enabled     = true
-yara_rules_path  = "windows-essential/rules/yara"
+yara_rules_path  = "windows-essential/yara"
 
 [ioc]
 enabled          = true
-hashes_path      = "windows-essential/rules/ioc/hashes.txt"
-ips_path         = "windows-essential/rules/ioc/ips.txt"
-domains_path     = "windows-essential/rules/ioc/domains.txt"
-paths_regex_path = "windows-essential/rules/ioc/paths_regex.txt"
+hashes_path      = "windows-essential/ioc/hashes.txt"
+ips_path         = "windows-essential/ioc/ips.txt"
+domains_path     = "windows-essential/ioc/domains.txt"
+paths_regex_path = "windows-essential/ioc/paths_regex.txt"
 ```
 
 > Swap `windows-essential` for any other pack id (`windows-advanced`, `linux-essential`, …). Because
@@ -67,11 +69,8 @@ Rebuild a pack into the same location and the engine picks it up without a resta
 
 ## `config.toml` reference (rule-relevant sections)
 
-This is the pack-installer's subset of the engine config — only the keys that affect loading and
-matching detection content. The **full, canonical reference** (logging, alerts, network
-aggregation, every default) lives in the engine docs:
-[Configuration](https://docs.rustinel.io/configuration/). Defaults shown here are the engine
-defaults; only the paths above are required to load a pack, the rest are tuning knobs.
+Defaults shown are the engine defaults. Only the paths above are required to load a pack; the rest
+are tuning knobs.
 
 ### `[scanner]` — Sigma & YARA
 
@@ -115,7 +114,6 @@ defaults; only the paths above are required to load a pack, the rest are tuning
 | --- | ------- | ------- |
 | `paths` | OS-shipped dirs (e.g. `C:\Windows\`, `/usr/bin/`, `/System/`) | Trusted prefixes applied to YARA, hash IOC, and response. Per-module allowlists fall back to this. |
 
-<a id="active-response"></a>
 ### `[response]` — optional active response
 
 | Key | Default | Meaning |
@@ -145,3 +143,4 @@ defaults; only the paths above are required to load a pack, the rest are tuning
 
 For the engine itself (install, run as a service/daemon, telemetry setup), see the
 [Rustinel documentation](https://docs.rustinel.io/).
+</content>

packs/linux/advanced/pack.yml

@@ -1,12 +1,12 @@
 name: Linux Advanced
 id: linux-advanced
 description: >
-  Linux Essential plus broader production detections. More false positives may
-  occur than in Essential (notably from package installs); tune per environment
-  before relying on by default.
+    Linux Essential plus broader production detections. More false positives may
+    occur than in Essential (notably from package installs); tune per environment
+    before relying on by default.
 os: linux
 level: advanced
-pack_schema_version: 1
+pack_schema_version: 2
 requires_rustinel: ">=1.0.2"
 default: false
 expected_false_positive_level: medium
@@ -27,10 +27,13 @@ telemetry_requirements:
   - file_scan
 test_status: none
 sources:
-  - https://attack.mitre.org/
+    manual:
+      - https://attack.mitre.org/
 rules:
-  - 3d4e5f60-7182-4394-9da5-2e3f4a5b6c73   # Systemd Unit Persistence (sigma)
-  - 4e5f6071-8293-44a5-8eb6-3f4a5b6c7d84   # Cron Job Persistence (sigma)
-  - 5f607182-93a4-45b6-9fc7-4a5b6c7d8e95   # Shell Profile / RC File Persistence (sigma)
-  - 60718293-a4b5-46c7-8fd8-5b6c7d8e9fa6   # Execution from World-Writable / Temporary Directory (sigma)
-  - 94fb53c7-debd-4287-99e4-6eb0ba923731   # Linux Download and Execute Piped to Shell (sigma)
+    has:
+        sigma:
+          - 3d4e5f60-7182-4394-9da5-2e3f4a5b6c73   # Systemd Unit Persistence (sigma)
+          - 4e5f6071-8293-44a5-8eb6-3f4a5b6c7d84   # Cron Job Persistence (sigma)
+          - 5f607182-93a4-45b6-9fc7-4a5b6c7d8e95   # Shell Profile / RC File Persistence (sigma)
+          - 60718293-a4b5-46c7-8fd8-5b6c7d8e9fa6   # Execution from World-Writable / Temporary Directory (sigma)
+          - 94fb53c7-debd-4287-99e4-6eb0ba923731   # Linux Download and Execute Piped to Shell (sigma)

packs/linux/essential/pack.yml

@@ -3,7 +3,7 @@ id: linux-essential
 description: Low-noise, high-confidence Linux detections for Rustinel. Safe default pack.
 os: linux
 level: essential
-pack_schema_version: 1
+pack_schema_version: 2
 requires_rustinel: ">=1.0.2"
 default: true
 expected_false_positive_level: low
@@ -25,13 +25,18 @@ telemetry_requirements:
   - file_scan
 test_status: none
 sources:
-  - https://attack.mitre.org/
+    manual:
+      - https://attack.mitre.org/
 rules:
-  - 0a1b2c3d-4e5f-4061-8a72-9b0c1d2e3f40   # Dynamic Linker Hijacking via ld.so.preload (sigma)
-  - 1b2c3d4e-5f60-4172-9b83-0c1d2e3f4a51   # SSH authorized_keys Created or Replaced (sigma)
-  - 2c3d4e5f-6071-4283-8c94-1d2e3f4a5b62   # Sudoers Configuration Tampering (sigma)
-  - a3c5c821-004a-4e52-8684-0f7f9ea0404c   # Linux Reverse Shell via /dev/tcp (sigma)
-  - 8fd4d1d9-38cf-4704-8009-00e41a009c98   # Linux Web Server Spawning Interactive Shell (sigma)
-  - 9ac8732e-1818-4cda-89ac-01ca08a7b836   # SSH Daemon Configuration Tampering (sigma)
-  - yara-lnx-xmrig-coinminer                # XMRig / coinminer strings in Linux ELF binaries (yara)
-  - ioc-eicar-test                         # EICAR safe end-to-end IOC test set (ioc)
+    has:
+        sigma:
+          - 0a1b2c3d-4e5f-4061-8a72-9b0c1d2e3f40   # Dynamic Linker Hijacking via ld.so.preload (sigma)
+          - 1b2c3d4e-5f60-4172-9b83-0c1d2e3f4a51   # SSH authorized_keys Created or Replaced (sigma)
+          - 2c3d4e5f-6071-4283-8c94-1d2e3f4a5b62   # Sudoers Configuration Tampering (sigma)
+          - a3c5c821-004a-4e52-8684-0f7f9ea0404c   # Linux Reverse Shell via /dev/tcp (sigma)
+          - 8fd4d1d9-38cf-4704-8009-00e41a009c98   # Linux Web Server Spawning Interactive Shell (sigma)
+          - 9ac8732e-1818-4cda-89ac-01ca08a7b836   # SSH Daemon Configuration Tampering (sigma)
+        yara:
+          - yara-lnx-xmrig-coinminer                # XMRig / coinminer strings in Linux ELF binaries (yara)
+        ioc:
+          - ioc-eicar-test                         # EICAR safe end-to-end IOC test set (ioc)                         # EICAR safe end-to-end IOC test set (ioc)                         # EICAR safe end-to-end IOC test set (ioc)

packs/macos/advanced/pack.yml

@@ -1,14 +1,14 @@
 name: macOS Advanced
 id: macos-advanced
 description: >
-  macOS Essential plus broader detections: launch-item persistence, shell
-  download cradles, privileged account creation and execution from temporary
-  paths. More false positives may occur — notably from application installers —
-  so tune per environment before relying on by default. Experimental and
-  post-v1; disabled by default.
+    macOS Essential plus broader detections: launch-item persistence, shell
+    download cradles, privileged account creation and execution from temporary
+    paths. More false positives may occur — notably from application installers —
+    so tune per environment before relying on by default. Experimental and
+    post-v1; disabled by default.
 os: macos
 level: advanced
-pack_schema_version: 1
+pack_schema_version: 2
 requires_rustinel: ">=1.0.2"
 default: false
 expected_false_positive_level: medium
@@ -29,9 +29,12 @@ telemetry_requirements:
   - file_event
 test_status: none
 sources:
-  - https://attack.mitre.org/
+    manual:
+      - https://attack.mitre.org/
 rules:
-  - 4d4f5162-7e80-4193-9da3-4e5f60712304   # Launch Agent or Daemon Persistence Plist Created (sigma)
-  - 3e506273-8f91-42a4-8eb4-5f6071823405   # Shell Download-and-Execute Pipe Cradle (sigma)
-  - 2f617384-9012-43b5-9fc5-60718293a416   # Local Admin Account Created via Directory Services (sigma)
-  - 1a728495-a123-44c6-8ad6-718293a4b527   # Execution from World-Writable or Temporary Directory (sigma)
+    has:
+        sigma:
+          - 4d4f5162-7e80-4193-9da3-4e5f60712304   # Launch Agent or Daemon Persistence Plist Created (sigma)
+          - 3e506273-8f91-42a4-8eb4-5f6071823405   # Shell Download-and-Execute Pipe Cradle (sigma)
+          - 2f617384-9012-43b5-9fc5-60718293a416   # Local Admin Account Created via Directory Services (sigma)
+          - 1a728495-a123-44c6-8ad6-718293a4b527   # Execution from World-Writable or Temporary Directory (sigma)

packs/macos/essential/pack.yml

@@ -1,13 +1,13 @@
 name: macOS Essential
 id: macos-essential
 description: >
-  Low-noise, high-confidence macOS detections for Rustinel, focused on the
-  dominant macOS threats: infostealers, keychain theft, Gatekeeper bypass and
-  cryptominers. Experimental and post-v1 — macOS packs are not yet
-  production-ready, so this pack is disabled by default.
+    Low-noise, high-confidence macOS detections for Rustinel, focused on the
+    dominant macOS threats: infostealers, keychain theft, Gatekeeper bypass and
+    cryptominers. Experimental and post-v1 — macOS packs are not yet
+    production-ready, so this pack is disabled by default.
 os: macos
 level: essential
-pack_schema_version: 1
+pack_schema_version: 2
 requires_rustinel: ">=1.0.2"
 default: false
 expected_false_positive_level: low
@@ -28,11 +28,16 @@ telemetry_requirements:
   - file_scan
 test_status: none
 sources:
-  - https://attack.mitre.org/
+    manual:
+      - https://attack.mitre.org/
 rules:
-  - 7a1c2e3f-4b5d-4e6f-8a90-1b2c3d4e5f01   # Keychain Credential Dump via security (sigma)
-  - 6b2d3f40-5c6e-4f71-9b81-2c3d4e5f6012   # osascript Credential Prompt or Suspicious Admin Shell (sigma)
-  - 5c3e4051-6d7f-4082-8c92-3d4e5f601203   # Gatekeeper or Quarantine Protection Disabled (sigma)
-  - be06a6b0-fa9f-4df4-9d4a-9f8794037508   # macOS Reverse Shell via /dev/tcp (sigma)
-  - yara-macos-coinminer-strings           # Cryptominer Mach-O strings (yara)
-  - ioc-eicar-test                         # EICAR safe end-to-end IOC test set (ioc)
+    has:
+        sigma:
+          - 7a1c2e3f-4b5d-4e6f-8a90-1b2c3d4e5f01   # Keychain Credential Dump via security (sigma)
+          - 6b2d3f40-5c6e-4f71-9b81-2c3d4e5f6012   # osascript Credential Prompt or Suspicious Admin Shell (sigma)
+          - 5c3e4051-6d7f-4082-8c92-3d4e5f601203   # Gatekeeper or Quarantine Protection Disabled (sigma)
+          - be06a6b0-fa9f-4df4-9d4a-9f8794037508   # macOS Reverse Shell via /dev/tcp (sigma)
+        yara:
+          - yara-macos-coinminer-strings           # Cryptominer Mach-O strings (yara)
+        ioc:
+          - ioc-eicar-test                         # EICAR safe end-to-end IOC test set (ioc)                         # EICAR safe end-to-end IOC test set (ioc)                         # EICAR safe end-to-end IOC test set (ioc)

packs/windows/advanced/pack.yml

@@ -1,11 +1,11 @@
 name: Windows Advanced
 id: windows-advanced
 description: >
-  Windows Essential plus broader production detections. More false positives may
-  occur than in Essential; tune per environment before relying on by default.
+    Windows Essential plus broader production detections. More false positives may
+    occur than in Essential; tune per environment before relying on by default.
 os: windows
 level: advanced
-pack_schema_version: 1
+pack_schema_version: 2
 requires_rustinel: ">=1.0.2"
 default: false
 expected_false_positive_level: medium
@@ -30,13 +30,16 @@ telemetry_requirements:
   - service_creation
 test_status: manual
 sources:
-  - https://attack.mitre.org/
-  - https://lolbas-project.github.io/
+    manual:
+      - https://attack.mitre.org/
+      - https://lolbas-project.github.io/
 rules:
-  - 9c8b7a6e-1d2f-4a3b-9c0d-2e3f4a5b6c71   # Rundll32 Execution Without Standard Arguments
-  - 6f0d2a91-3b7c-4e58-9a16-8c4e1d7b2a09   # Local Account Created or Added to Administrators
-  - a1b2c3d4-7e8f-4012-9a3b-4c5d6e7f0a10   # Registry Run Key Persistence
-  - c3d4e5f6-9012-4234-9c5d-6e7f8a901a12   # PowerShell Download-and-Execute Cradle
-  - d4e5f6a7-0123-4345-9d6e-7f8a9b012a13   # Suspicious Service Binary Path
-  - 4a596825-4674-4db3-b360-842435edf11a   # Scheduled Task Creation via Schtasks
-  - 2a3c3182-80b8-42d4-bd39-83c55582ef70   # WMI Process Execution via WMIC
+    has:
+        sigma:
+          - 9c8b7a6e-1d2f-4a3b-9c0d-2e3f4a5b6c71   # Rundll32 Execution Without Standard Arguments
+          - 6f0d2a91-3b7c-4e58-9a16-8c4e1d7b2a09   # Local Account Created or Added to Administrators
+          - a1b2c3d4-7e8f-4012-9a3b-4c5d6e7f0a10   # Registry Run Key Persistence
+          - c3d4e5f6-9012-4234-9c5d-6e7f8a901a12   # PowerShell Download-and-Execute Cradle
+          - d4e5f6a7-0123-4345-9d6e-7f8a9b012a13   # Suspicious Service Binary Path
+          - 4a596825-4674-4db3-b360-842435edf11a   # Scheduled Task Creation via Schtasks
+          - 2a3c3182-80b8-42d4-bd39-83c55582ef70   # WMI Process Execution via WMIC