rustinel-rules
Official, curated detection content (Sigma, YARA, IOC packs) for the Rustinel endpoint detection engine.
A library of threat detection rules for the Rustinel endpoint security engine, covering suspicious events, malicious file patterns, and known bad IPs, domains, and hashes, organized into Essential, Advanced, and Hunting packs for Windows, Linux, and macOS.
This is a library of threat detection rules designed to be loaded into the Rustinel endpoint detection engine. Rustinel itself is the scanning agent that runs on computers; this companion repository holds the actual detection content it uses to identify threats. The two parts are intentionally separate: the engine handles how detection works, while this repository controls what it detects.
The content comes in three formats: Sigma rules (a portable format for describing suspicious system events), YARA rules (patterns for matching malicious files), and IOC packs (lists of known bad IP addresses, domains, file hashes, and file paths). Every rule lives in one place inside the rules/ folder and is referenced by a stable ID, so nothing gets duplicated across packs.
Packs are how the content gets organized and delivered to the engine. They work in a tiered structure: Essential packs contain high-confidence, low-noise detections suited for everyday use; Advanced packs add broader coverage at the cost of more false positives; and Hunting packs include looser rules for analysts actively investigating threats. Packs are available for Windows, Linux, and macOS, though the macOS packs are still experimental and not yet production-ready. Each pack specifies which version of Rustinel it requires.
The build process uses Python tooling. Running the validate script checks that all rules and pack manifests are correct, and running the build script assembles ready-to-load pack folders along with an index.json catalog. From there, you point Rustinel's configuration file at the built pack directory and the engine loads the rules directly. The repository ships an EICAR test IOC (a standard harmless test marker used in security tooling) so you can confirm detection is wired up correctly before using real threat content.
The project follows a detection-as-code approach, meaning every rule change goes through automated checks in CI before it is accepted. The stated goal is to keep the Essential packs strict and reliable rather than importing large volumes of unvetted threat intelligence.
Where it fits
- Load curated, low-noise threat detection rules into Rustinel to protect Windows or Linux endpoints from day one.
- Add broader Advanced or Hunting packs when actively investigating a security incident or threat-hunting campaign.
- Contribute new detection rules using a detection-as-code workflow where every change is automatically validated before merging.
- Verify your Rustinel setup is wired up correctly using the included EICAR test IOC before deploying real threat content.