explaingit

karib0u/rustinel-rules

13PythonAudience · ops devopsComplexity · 3/5Setup · moderate

TLDR

A library of threat detection rules for the Rustinel endpoint security engine, covering suspicious events, malicious file patterns, and known bad IPs, domains, and hashes, organized into Essential, Advanced, and Hunting packs for Windows, Linux, and macOS.

Mindmap

mindmap
  root((repo))
    Rule Formats
      Sigma rules
      YARA rules
      IOC packs
    Pack Tiers
      Essential packs
      Advanced packs
      Hunting packs
    Platform Coverage
      Windows
      Linux
      macOS experimental
    Build Tooling
      Validate script
      Build script
      index.json catalog
    Workflow
      Detection as code
      CI validation
      EICAR test IOC
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Load curated, low-noise threat detection rules into Rustinel to protect Windows or Linux endpoints from day one.

USE CASE 2

Add broader Advanced or Hunting packs when actively investigating a security incident or threat-hunting campaign.

USE CASE 3

Contribute new detection rules using a detection-as-code workflow where every change is automatically validated before merging.

USE CASE 4

Verify your Rustinel setup is wired up correctly using the included EICAR test IOC before deploying real threat content.

Tech stack

PythonSigmaYARAIOCRustinelCI/CD

Getting it running

Difficulty · moderate Time to first run · 30min

Requires Rustinel engine installed separately. Run the Python validate then build scripts, then point Rustinel's config at the output directory. Use the EICAR test IOC to confirm detection works before going live.

No license is mentioned in the explanation.

In plain English

This is a library of threat detection rules designed to be loaded into the Rustinel endpoint detection engine. Rustinel itself is the scanning agent that runs on computers, this companion repository holds the actual detection content it uses to identify threats. The two parts are intentionally separate: the engine handles how detection works, while this repository controls what it detects. The content comes in three formats: Sigma rules (a portable format for describing suspicious system events), YARA rules (patterns for matching malicious files), and IOC packs (lists of known bad IP addresses, domains, file hashes, and file paths). Every rule lives in one place inside the rules/ folder and is referenced by a stable ID, so nothing gets duplicated across packs. Packs are how the content gets organized and delivered to the engine. They work in a tiered structure: Essential packs contain high-confidence, low-noise detections suited for everyday use, Advanced packs add broader coverage at the cost of more false positives, and Hunting packs include looser rules for analysts actively investigating threats. Packs are available for Windows, Linux, and macOS, though the macOS packs are still experimental and not yet production-ready. Each pack specifies which version of Rustinel it requires. The build process uses Python tooling. Running the validate script checks that all rules and pack manifests are correct, and running the build script assembles ready-to-load pack folders along with an index.json catalog. From there, you point Rustinel's configuration file at the built pack directory and the engine loads the rules directly. The repository ships an EICAR test IOC (a standard harmless test marker used in security tooling) so you can confirm detection is wired up correctly before using real threat content. The project follows a detection-as-code approach, meaning every rule change goes through automated checks in CI before it is accepted. The stated goal is to keep the Essential packs strict and reliable rather than importing large volumes of unvetted threat intelligence.

Copy-paste prompts

Prompt 1
I have the rustinel-rules repo checked out and Rustinel installed. Walk me step by step through running the validate script, then the build script, and finally pointing Rustinel's config file at the output directory so it loads the Essential packs.
Prompt 2
Explain the difference between the Essential, Advanced, and Hunting pack tiers in rustinel-rules. For a small team with no dedicated security analyst, which tier should we start with and why?
Prompt 3
I want to add a new Sigma rule to rustinel-rules to detect a suspicious PowerShell command on Windows. Show me the correct file structure, required fields, and how to reference it from an existing pack manifest.
Prompt 4
The rustinel-rules repo supports Sigma, YARA, and IOC formats. For detecting a known malicious domain, which format should I use and how do I add it to the rules/ folder with a stable ID?
Prompt 5
How do I set up CI for rustinel-rules so that any pull request automatically runs the validate script and fails if a rule or pack manifest is broken? Provide a GitHub Actions workflow file.
Open on GitHub → Explain another repo

← karib0u on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.