Open-source endpoint detection for Windows, Linux, and macOS.
Native telemetry to Sigma, YARA, IOC detection, and SIEM-ready alerts. Written in Rust.
Website | Docs | Download | SIEM demos
Get Your First Alert
Rustinel ships release archives with a binary, default config, demo rules, and a
logs/ directory.
Windows - from an elevated PowerShell:
Invoke-WebRequest https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.ps1 -OutFile install-rustinel.ps1 powershell -ExecutionPolicy Bypass -File .\install-rustinel.ps1 -Run
Linux
curl -fsSL https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh | sh -s -- --runmacOS (experimental)
curl -fsSL https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh | sh cd rustinel
macOS requires a one-time Full Disk Access approval before Endpoint Security can start. Follow the Getting Started macOS notes before using it beyond a first test.
With the agent running, trigger the bundled demo rule:
Alerts are written to logs/alerts.json.<date> as ECS NDJSON.
Prefer to inspect first? Download the install script or a package from the latest release. Installers only download published release binaries.
Why Rustinel
A transparent endpoint detection engine you can read, run, test, and extend.
- Native telemetry: ETW on Windows, eBPF on Linux, Endpoint Security and
/dev/bpfon macOS. - Detection formats: Sigma for behavior, YARA for files and memory, IOC matching for hashes, IPs, domains, and path regexes.
- Rule reuse: bring existing Sigma and YARA rules instead of rewriting them into a proprietary format.
- SIEM output: ECS 9.4.0 NDJSON alerts for Elastic, Splunk, and other log pipelines.
- Operations: hot reload for rules and IOCs, optional active response on Windows and Linux only; macOS is detection-only today. Includes Windows service support and launchd packaging notes.
Platform support
| Platform | Sensor | Telemetry | Status |
|---|---|---|---|
| Windows 10/11, Server 2016+ | ETW | Process, image load, network, file, registry, DNS, PowerShell, WMI, service, task | Stable |
| Linux 5.8+ (BTF) | eBPF | Process, network, file, DNS | Stable |
| macOS 11+ | Endpoint Security + /dev/bpf |
Process, file, network, DNS | Experimental |
Windows coverage is the broadest today. Linux and macOS focus on process, network, file, and DNS telemetry. macOS remains experimental. Current gaps are listed in Limitations.
How detection works
ETW (Windows) | eBPF (Linux) | ESF + /dev/bpf (macOS)
│
Normalized event model
│
┌───────────────┼───────────────┐
Sigma YARA IOC
behavior files + hashes, IPs,
rules memory domains, paths
└───────────────┼───────────────┘
│
ECS NDJSON alerts
│
Optional active response
See the detection docs for rule authoring, YARA memory scanning, and IOC formats.
Detection packs
The bundled rules only prove that the pipeline works. For real coverage, load curated content from rustinel-rules, the official versioned detection repository.
rustinel -> the engine that collects telemetry and evaluates rules
rustinel-rules -> the Sigma, YARA, and IOC packs it loads
Each pack materializes into folders you point config.toml straight at. Browse the pack catalog to get started.
Good for / not for
Use it for detection engineering, rule development and testing, blue-team labs, cross-platform detection research, and SIEM pipeline validation.
It is not a drop-in replacement for a mature commercial EDR. Rustinel does not provide kernel-level self-protection, pre-execution blocking, anti-tamper guarantees, or managed response. A sufficiently privileged attacker may interfere with user-mode telemetry.
Build from source
cargo build --release sudo ./target/release/rustinel run
macOS requires the app-like signed bundle described in Getting Started.
Documentation
Website | Docs home | Getting Started | Configuration | Detection | Architecture | Operations | Troubleshooting | FAQ | Detection rules | Roadmap
Contributing
Testing, feedback, and detection ideas are welcome. See CONTRIBUTING.md.