### Configure Linux Install Layout in TOML Source: https://github.com/karib0u/rustinel/blob/main/docs/configuration.md Set scanner and logging directory paths for a Linux installation using TOML format. This example uses standard Linux directory structures. ```toml [scanner] sigma_rules_path = "/opt/rustinel/rules/sigma" yara_rules_path = "/opt/rustinel/rules/yara" [logging] directory = "/opt/rustinel/logs" [alerts] directory = "/opt/rustinel/logs" ``` -------------------------------- ### Run Rustinel on Windows (Quick Start) Source: https://github.com/karib0u/rustinel/blob/main/docs/getting-started.md Execute the Rustinel binary from an elevated PowerShell prompt after extracting the release archive. ```powershell .\rustinel.exe run --console ``` -------------------------------- ### Example systemd Unit File Source: https://github.com/karib0u/rustinel/blob/main/docs/operations.md Configuration for a systemd service to manage the Rustinel agent. Save this to /etc/systemd/system/rustinel.service. ```ini [Unit] Description=Rustinel EDR Agent After=network.target [Service] Type=simple ExecStart=/opt/rustinel/rustinel run WorkingDirectory=/opt/rustinel Restart=on-failure RestartSec=5s User=root [Install] WantedBy=multi-user.target ``` -------------------------------- ### Run Rustinel with Sudo Source: https://github.com/karib0u/rustinel/blob/main/docs/cli.md Example of running the 'run' command with superuser privileges on Linux. ```bash sudo ./rustinel run ``` -------------------------------- ### Run Rustinel on Linux (Quick Start) Source: https://github.com/karib0u/rustinel/blob/main/docs/getting-started.md Extract the tarball, navigate to the directory, and run the Rustinel binary with sudo privileges. Mount tracefs and debugfs if startup fails. ```bash tar xzf rustinel--x86_64-unknown-linux-musl.tar.gz cd rustinel--x86_64-unknown-linux-musl sudo ./rustinel run ``` ```bash mount -t tracefs tracefs /sys/kernel/tracing mount -t debugfs debugfs /sys/kernel/debug ``` -------------------------------- ### Windows Upgrade: Move To New Install Directory Source: https://github.com/karib0u/rustinel/blob/main/docs/operations.md Upgrade Rustinel by moving it to a new directory. This involves stopping and uninstalling the old service, copying files to the new location, and then installing and starting the service in the new directory. ```powershell Set-Location C:\OldRustinel .\rustinel.exe service stop .\rustinel.exe service uninstall New-Item -ItemType Directory -Path D:\Rustinel -Force | Out-Null Copy-Item C:\Staging\rustinel.exe D:\Rustinel\rustinel.exe -Force Copy-Item C:\Staging\config.toml D:\Rustinel\config.toml -Force Copy-Item C:\Staging\rules D:\Rustinel\rules -Recurse -Force Set-Location D:\Rustinel .\rustinel.exe service install .\rustinel.exe service start ``` -------------------------------- ### Manage Rustinel as a Windows Service Source: https://context7.com/karib0u/rustinel/llms.txt Commands to install, start, stop, and uninstall Rustinel as a Windows service. Use `sc.exe query` to verify the service state. ```powershell .\rustinel.exe service install .\rustinel.exe service start ``` ```powershell .\rustinel.exe service stop .\rustinel.exe service uninstall ``` ```powershell sc.exe query Rustinel ``` -------------------------------- ### Compile and Run YARA Demo Example (Linux) Source: https://github.com/karib0u/rustinel/blob/main/docs/active-response.md Compile and run the YARA demo example on Linux. This is part of the safe test flow for validating the alert-to-response pipeline. ```bash rustc ./examples/yara_demo.rs -o ./examples/yara_demo ./yara_demo ``` -------------------------------- ### Manage Windows Service Source: https://github.com/karib0u/rustinel/blob/main/docs/cli.md Commands for installing, uninstalling, starting, and stopping the Rustinel Windows service. These commands are Windows-specific. ```powershell rustinel service install ``` ```powershell rustinel service start ``` ```powershell rustinel service stop ``` ```powershell rustinel service uninstall ``` -------------------------------- ### Fastest Local Build Paths (Userspace) Source: https://github.com/karib0u/rustinel/blob/main/docs/development.md Use these commands for quick local checks and builds. Ensure you have the correct environment setup for Windows or Linux. ```bash cargo check --workspace ``` ```bash cargo build ``` ```bash cargo build --release ``` -------------------------------- ### Mount Tracing Filesystems on Linux Source: https://github.com/karib0u/rustinel/blob/main/README.md If Rustinel fails to start due to missing tracefs, mount the necessary tracing filesystems. ```bash mount -t tracefs tracefs /sys/kernel/tracing mount -t debugfs debugfs /sys/kernel/debug ``` -------------------------------- ### Compile and Run YARA Demo Example (Windows) Source: https://github.com/karib0u/rustinel/blob/main/docs/active-response.md Compile and run the YARA demo example on Windows. This is part of the safe test flow for validating the alert-to-response pipeline. ```powershell rustc .\examples\yara_demo.rs -o .\examples\yara_demo.exe .\yara_demo.exe ``` -------------------------------- ### Compile and Run YARA Demo Binary Source: https://github.com/karib0u/rustinel/blob/main/docs/getting-started.md Compile the example Rust program for cross-platform YARA demonstration. ```rust rustc ./examples/yara_demo.rs -o ./examples/yara_demo ``` ```powershell rustc .\examples\yara_demo.rs -o .\examples\yara_demo.exe ``` -------------------------------- ### Windows Service Management Commands Source: https://github.com/karib0u/rustinel/blob/main/docs/operations.md Use these PowerShell commands to install, start, stop, and uninstall the Rustinel Windows service. Ensure you are in the directory containing rustinel.exe. ```powershell .\rustinel.exe service install ``` ```powershell .\rustinel.exe service start ``` ```powershell .\rustinel.exe service stop ``` ```powershell .\rustinel.exe service uninstall ``` -------------------------------- ### Sigma Rule Format Examples Source: https://context7.com/karib0u/rustinel/llms.txt Illustrates the structure and syntax of Sigma rules in YAML format. ```APIDOC ## Sigma Rule Format Examples ### Description This section provides examples of Sigma rules written in YAML, showcasing different detection logic and log sources. ### Method YAML configuration files. ### Endpoint N/A (Rule Files) ### Parameters N/A ### Request Example ```yaml # rules/sigma/suspicious_process.yml title: Suspicious Process - Whoami Execution id: a1b2c3d4-e5f6-7890-abcd-ef1234567890 status: experimental description: Detects execution of whoami (demo rule). author: Detection Team logsource: category: process_creation product: linux detection: selection: Image|endswith: '/whoami' condition: selection level: low --- # Multi-selection rule with AND logic (Windows) title: Whoami with /all switch id: d4f5e6b2-3c7a-4e1b-9f2a-123456789abc logsource: category: process_creation product: windows detection: selection_img: Image|endswith: '\whoami.exe' selection_cmd: CommandLine|contains: ' /all' condition: selection_img and selection_cmd level: low --- # Network rule using CIDR and port matching title: Outbound to RFC5737 Test Range logsource: category: network_connection detection: selection: DestinationIp|cidr: '203.0.113.0/24' DestinationPort: '443' condition: selection level: medium ``` ### Response N/A (These are rule definitions, not API responses.) ``` -------------------------------- ### Build and Run Ignored Smoke Tests Source: https://github.com/karib0u/rustinel/blob/main/docs/development.md Build the example target for smoke tests and then run them, including ignored tests. These may require administrator rights. ```bash cargo build --locked --example memory_target ``` ```bash cargo test --locked --test yara_memory -- --include-ignored ``` ```bash cargo test --locked --test active_response -- --include-ignored ``` -------------------------------- ### Windows Upgrade: Replace Binary In Place Source: https://github.com/karib0u/rustinel/blob/main/docs/operations.md Stop the Rustinel service, replace the executable with a new version, and then restart the service. This is for upgrades where the installation directory remains the same. ```powershell Set-Location C:\Rustinel .\rustinel.exe service stop Copy-Item C:\Staging\rustinel.exe .\rustinel.exe -Force .\rustinel.exe service start ``` -------------------------------- ### IOC File Format Example Source: https://github.com/karib0u/rustinel/blob/main/docs/detection.md Illustrates the format for IOC indicator files, including comments, empty lines, optional comments, hash formats, and domain/path regex matching rules. ```text # Lines beginning with # or // are comments. # Empty lines are ignored. # ;comment suffixes are optional. # Hashes are auto-detected by length as MD5, SHA1, or SHA256. # Domain entries without a leading . are exact matches. # Domain entries with a leading . match the suffix and all subdomains. # Domain entries with a leading *. are normalized to suffix matching. # Path regexes are compiled case-insensitive. 203.0.113.1;C2 endpoint .example.org;Suspicious zone ^/tmp/evil(/.*)?;Linux staging path ``` -------------------------------- ### IOC Indicator File Formats Source: https://context7.com/karib0u/rustinel/llms.txt Examples of plain-text indicator files for hashes, IPs/CIDRs, domains, and path regexes. Supports comments and auto-detection of hash types. ```text # rules/ioc/hashes.txt # MD5 0c2674c3a97c53082187d930efb645c2;Mimikatz variant # SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855;Empty file sentinel # rules/ioc/ips.txt 203.0.113.1;C2 endpoint 198.51.100.0/24;Suspicious CIDR block # rules/ioc/domains.txt evil.example.org;exact match only .badzone.example;suffix match - all subdomains *.malware.example;also suffix match (normalized) # rules/ioc/paths_regex.txt ^/tmp/[a-z]{6,12}$;Linux staging path pattern \\AppData\\Roaming\[A-Z]{8}\.exe$;Windows dropper pattern ``` -------------------------------- ### Example config.toml for Rustinel Source: https://github.com/karib0u/rustinel/blob/main/docs/configuration.md This TOML file demonstrates how to configure various aspects of Rustinel, including scanner settings, reload behavior, logging, alerts, response actions, network aggregation, and Indicators of Compromise (IOC) detection. Ensure paths are platform-appropriate. ```toml [scanner] sigma_enabled = true sigma_rules_path = "rules/sigma" yara_enabled = true yara_rules_path = "rules/yara" # Memory scanning is off by default. # yara_memory_enabled = false # yara_memory_delay_ms = 750 # yara_memory_max_process_mb = 64 # yara_memory_max_region_mb = 8 # yara_memory_include_private = true # yara_memory_include_image = false # yara_memory_include_mapped = false [reload] enabled = true debounce_ms = 2000 [logging] level = "info" directory = "logs" filename = "rustinel.log" console_output = true [alerts] directory = "logs" filename = "alerts.json" match_debug = "off" [response] enabled = false prevention_enabled = false min_severity = "critical" channel_capacity = 128 allowlist_images = [] [network] aggregation_enabled = true aggregation_max_entries = 20000 aggregation_interval_buffer_size = 50 [ioc] enabled = true hashes_path = "rules/ioc/hashes.txt" ips_path = "rules/ioc/ips.txt" domains_path = "rules/ioc/domains.txt" paths_regex_path = "rules/ioc/paths_regex.txt" default_severity = "high" max_file_size_mb = 50 ``` -------------------------------- ### Example Log Message for Administrator Privileges Required (Windows) Source: https://github.com/karib0u/rustinel/blob/main/docs/troubleshooting.md This log message indicates that Rustinel requires Administrator privileges to access ETW providers on Windows. ```text This application requires Administrator privileges Please run as Administrator to access ETW providers ``` -------------------------------- ### Run Rustinel Agent on Windows Source: https://context7.com/karib0u/rustinel/llms.txt Starts the Rustinel agent in foreground mode on Windows. Use `--console` for stdout output and `--log-level` to override the default log level. ```powershell .\rustinel.exe run --console ``` ```powershell .\rustinel.exe run --log-level trace ``` -------------------------------- ### Rustinel Operational Log Example Source: https://github.com/karib0u/rustinel/blob/main/docs/output.md Operational logs provide runtime state and troubleshooting information. The message text is representative of the content, though field rendering may vary. ```text 9:00 PM INFO rustinel: Rustinel v1.0.0 (Linux eBPF) 9:00 PM INFO rustinel: Loading Sigma rules 9:00:01 PM INFO rustinel: YARA scanner initialized 9:00:05 PM INFO engine: Sigma detection triggered 9:00:05 PM INFO response: Active response would terminate process pid=4242 image="/usr/bin/whoami" dry_run=true ``` -------------------------------- ### YARA Rules for File and Memory Scanning Source: https://context7.com/karib0u/rustinel/llms.txt Example YARA rules for detecting specific strings and patterns in files and memory. Rules are compiled at startup and can be hot-reloaded. ```yara // rules/yara/example_test_string.yar rule ExampleMarkerString { strings: $a = "RUSTINEL_TEST_MARKER" ascii wide condition: $a } // rules/yara/suspicious_powershell.yar rule SuspiciousPowerShellDownload { meta: description = "Detects PowerShell download cradle patterns" severity = "high" strings: $iwr = "Invoke-WebRequest" ascii wide nocase $iwrn = "IWR " ascii wide nocase $dnld = "DownloadString" ascii wide nocase $exec = "IEX(" ascii wide nocase condition: any of ($iwr, $iwrn, $dnld) and $exec } ``` -------------------------------- ### Run Rustinel Agent on Linux Source: https://context7.com/karib0u/rustinel/llms.txt Starts the Rustinel agent in foreground mode on Linux. Requires root or eBPF capabilities. Use `--log-level` to override the default log level. ```bash sudo ./rustinel run ``` ```bash sudo ./rustinel run --log-level debug ``` -------------------------------- ### Filebeat Input for Rustinel Alerts Source: https://github.com/karib0u/rustinel/blob/main/docs/output.md Example Filebeat configuration to ingest Rustinel's NDJSON alert logs. Ensure the path matches your Rustinel log directory. ```yaml filebeat.inputs: - type: filestream paths: - /opt/rustinel/logs/alerts.json.* parsers: - ndjson: target: "" ``` -------------------------------- ### systemd Service Management Commands Source: https://github.com/karib0u/rustinel/blob/main/docs/operations.md Commands to reload the systemd daemon, enable, start, and check the status of the Rustinel service. Ensure the systemd unit file is correctly configured. ```bash sudo systemctl daemon-reload ``` ```bash sudo systemctl enable rustinel ``` ```bash sudo systemctl start rustinel ``` ```bash sudo systemctl status rustinel ``` -------------------------------- ### Configure Windows Service Paths in TOML Source: https://github.com/karib0u/rustinel/blob/main/docs/configuration.md Set scanner and logging directory paths for a Windows service installation using TOML format. Ensure paths are correctly escaped for Windows. ```toml [scanner] sigma_rules_path = "C:\\Rustinel\\rules\\sigma" yara_rules_path = "C:\\Rustinel\\rules\\yara" [logging] directory = "C:\\Rustinel\\logs" [alerts] directory = "C:\\Rustinel\\logs" ``` -------------------------------- ### Example Log Message for eBPF Sensor Failure (Linux) Source: https://github.com/karib0u/rustinel/blob/main/docs/troubleshooting.md This log message indicates a failure to load the eBPF object on Linux, often due to kernel version or BTF availability. ```text eBPF object load failed — ensure BTF is available and kernel is 5.8+ ``` -------------------------------- ### Compile and Run Rustinel from Source on Linux Source: https://github.com/karib0u/rustinel/blob/main/docs/getting-started.md Clone the repository, build the release binary using Cargo, and then run it with sudo privileges. Mount tracefs and debugfs if startup fails. ```bash git clone https://github.com/Karib0u/rustinel.git cd rustinel cargo build --release sudo ./target/release/rustinel run ``` ```bash mount -t tracefs tracefs /sys/kernel/tracing mount -t debugfs debugfs /sys/kernel/debug ``` -------------------------------- ### Compile and Run Rustinel from Source on Windows Source: https://github.com/karib0u/rustinel/blob/main/docs/getting-started.md Clone the repository, build the release binary using Cargo, and then run it from the target directory. ```powershell git clone https://github.com/Karib0u/rustinel.git cd rustinel cargo build --release .\target\release\rustinel.exe run --console ``` -------------------------------- ### Build Rustinel from Source (Linux) Source: https://context7.com/karib0u/rustinel/llms.txt Instructions for cloning the Rustinel repository, building a release binary for Linux (x86_64 musl static), and running the agent. ```bash # Linux (x86_64 musl static binary) git clone https://github.com/Karib0u/rustinel.git cd rustinel cargo build --release sudo ./target/release/rustinel run ``` -------------------------------- ### Set Scanner Sigma Rules Path via Environment Variable (Bash) Source: https://github.com/karib0u/rustinel/blob/main/docs/configuration.md Configure the path to Sigma rules for the scanner using Bash environment variables. This example sets a path for a Linux installation. ```bash export EDR__SCANNER__SIGMA_RULES_PATH=/opt/rustinel/rules/sigma ``` -------------------------------- ### Build and Run YARA Demo in Bash Source: https://context7.com/karib0u/rustinel/llms.txt Command to build and execute the bundled YARA demo, which triggers the `ExampleMarkerString` rule. Expected log output format is provided. ```bash # Build and run the bundled YARA demo target (triggers ExampleMarkerString) rustc ./examples/yara_demo.rs -o ./examples/yara_demo ./examples/yara_demo # Expected alert in logs/alerts.json.: # {"rule.name":"ExampleMarkerString","edr.rule.engine":"Yara","edr.rule.severity":"Critical",...} ``` -------------------------------- ### Rustinel Engine Usage Source: https://context7.com/karib0u/rustinel/llms.txt Demonstrates how to initialize the Sigma engine, load rules from a directory, and check events against loaded rules. ```APIDOC ## Rustinel Engine Usage ### Description This section shows how to create a Sigma engine, load rules, and process events. ### Method Rust code examples demonstrating API calls. ### Endpoint N/A (SDK Usage) ### Parameters N/A ### Request Example ```rust use rustinel::engine::Engine; use rustinel::models::{MatchDebugLevel, NormalizedEvent, EventCategory, EventFields, ProcessCreationFields}; use rustinel::sensor::Platform; // Build a Linux engine with debug-level match metadata in alerts let mut engine = Engine::new_for_platform_with_logging_level_and_match_debug( Platform::Linux, "info", MatchDebugLevel::Summary, ); // Load all .yml rules from a directory (recursive) engine.load_rules("rules/sigma").expect("failed to load Sigma rules"); let stats = engine.stats(); println!("Loaded {} rules across {} logsource families", stats.total_rules, stats.rules_by_logsource.len() ); // Construct a normalized process_creation event let event = NormalizedEvent { timestamp: "2025-06-01T12:00:00Z".to_string(), platform: Platform::Linux, provider: "ebpf".to_string(), category: EventCategory::Process, event_id: 1, event_id_string: "1".to_string(), opcode: 1, fields: EventFields::ProcessCreation(ProcessCreationFields { image: Some("/usr/bin/whoami".to_string()), command_line: Some("whoami".to_string()), process_id: Some("4242".to_string()), user: Some("root".to_string()), parent_image: Some("/usr/bin/bash".to_string()), parent_command_line: Some("/usr/bin/bash -i".to_string()), ..Default::default() }), process_context: None, }; // Evaluate against all loaded rules if let Some(alert) = engine.check_event(&event) { println!("Detection: {} [severity={{:?}}]", alert.rule_name, alert.severity); } ``` ### Response #### Success Response (Console Output) - Prints the number of loaded rules and logsource families. - Prints detection alerts if any rules match the event. #### Response Example ``` Loaded 2 rules across 1 logsource families Detection: Example - Whoami Execution (Linux) [severity=Low] ``` ``` -------------------------------- ### IOC Hash Hit Alert Example (ECS NDJSON) Source: https://context7.com/karib0u/rustinel/llms.txt Example of an alert triggered by an Indicator of Compromise (IOC) hash match, formatted in ECS NDJSON. ```json // IOC hash hit alert { "@timestamp": "2025-06-01T12:00:10Z", "ecs.version": "9.3.0", "event.kind": "alert", "event.category": ["process"], "event.type": ["start"], "event.module": "edr", "event.provider": "ebpf", "rule.name": "IOC Match: MD5", "edr.rule.severity": "High", "edr.rule.engine": "Ioc", "process.executable": "/tmp/malware" } ``` -------------------------------- ### Build and Run Rustinel on Windows Source: https://context7.com/karib0u/rustinel/llms.txt Instructions for cloning the Rustinel repository and building a release binary on Windows using PowerShell. Requires Visual Studio Build Tools. ```powershell # Windows (elevated PowerShell, requires Visual Studio Build Tools) git clone https://github.com/Karib0u/rustinel.git cd rustinel cargo build --release .\target\release\rustinel.exe run --console ``` -------------------------------- ### Windows Process Alert Example (ECS NDJSON) Source: https://github.com/karib0u/rustinel/blob/main/docs/output.md Example of a security alert in ECS NDJSON format for a Windows process event. This format is used for detections and is compatible with SIEM systems. ```json { "@timestamp": "T21:00:05Z", "ecs.version": "9.3.0", "event.kind": "alert", "event.category": ["process"], "event.type": ["start"], "event.action": "process-start", "event.code": "1", "event.module": "edr", "event.dataset": "edr.process", "event.provider": "etw", "rule.name": "Example - Whoami Execution (CommandLine + Image)", "edr.rule.severity": "Low", "edr.rule.engine": "Sigma", "host.os.type": "windows", "host.os.family": "windows", "process.executable": "C:\\Windows\\System32\\whoami.exe", "process.command_line": "whoami /all" } ``` -------------------------------- ### Build and Run Rustinel from Source on Linux Source: https://github.com/karib0u/rustinel/blob/main/README.md Build the Rustinel release using cargo and then run the executable with sudo. ```bash cargo build --release sudo ./target/release/rustinel run ``` -------------------------------- ### Linux Process Alert Example (ECS NDJSON) Source: https://github.com/karib0u/rustinel/blob/main/docs/output.md Example of a security alert in ECS NDJSON format for a Linux process event. This format is used for detections and is compatible with SIEM systems. ```json { "@timestamp": "T21:00:05Z", "ecs.version": "9.3.0", "event.kind": "alert", "event.category": ["process"], "event.type": ["start"], "event.action": "process-start", "event.code": "1", "event.module": "edr", "event.dataset": "edr.process", "event.provider": "ebpf", "rule.name": "Example - Whoami Execution (Linux)", "edr.rule.severity": "Low", "edr.rule.engine": "Sigma", "host.os.type": "linux", "host.os.family": "linux", "process.executable": "/usr/bin/whoami", "process.name": "whoami", "user.name": "root" } ``` -------------------------------- ### Build and Run Rustinel from Source on Windows Source: https://github.com/karib0u/rustinel/blob/main/README.md Build the Rustinel release using cargo and then run the executable from the target directory. ```powershell cargo build --release .\target\release\rustinel.exe run --console ``` -------------------------------- ### Run Rustinel Demo on Linux Source: https://github.com/karib0u/rustinel/blob/main/README.md Navigate to the Rustinel directory and run the agent. Inspect alerts generated by the demo rules. ```bash cd rustinel--x86_64-unknown-linux-musl sudo ./rustinel run whoami cat logs/alerts.json.* ``` -------------------------------- ### Run Rustinel Demo on Windows Source: https://github.com/karib0u/rustinel/blob/main/README.md Navigate to the Rustinel directory and run the agent in console mode. Inspect alerts generated by the demo rules. ```powershell cd .\rustinel--x86_64-pc-windows-msvc .aseline.exe run --console whoami /all type .\logs\alerts.json.* ``` -------------------------------- ### Recommended Dev Run (Linux) Source: https://github.com/karib0u/rustinel/blob/main/docs/development.md Run the application on Linux. Requires root privileges or appropriate capabilities. ```bash sudo cargo run -- run ``` -------------------------------- ### Linux eBPF Object Build Source: https://github.com/karib0u/rustinel/blob/main/docs/development.md Rebuild the eBPF object from source if needed. This involves installing nightly Rust, the rust-src component, and the bpf-linker tool. ```bash rustup toolchain install nightly rustup component add rust-src --toolchain nightly cargo install bpf-linker cd ebpf cargo +nightly build --release --bin rustinel-ebpf cp target/bpfel-unknown-none/release/rustinel-ebpf rustinel-ebpf.o cd .. ``` -------------------------------- ### IocEngine::load and IocEngine::check_event Source: https://context7.com/karib0u/rustinel/llms.txt Demonstrates loading IOC configurations, checking events against loaded indicators, and matching computed file hashes. ```APIDOC ## IocEngine::load and IocEngine::check_event `IocEngine::load(cfg)` reads four indicator files (hashes, IPs/CIDRs, domains, path regexes) and compiles them into lookup structures. `check_event(event)` performs inline domain, IP, and path-regex matching on every `NormalizedEvent`. `match_hashes(computed)` checks pre-computed file digests against loaded hash IOCs. Both return `Vec`. ```rust use rustinel::ioc::IocEngine; use rustinel::config::IocConfig; use std::path::PathBuf; let cfg = IocConfig { enabled: true, hashes_path: PathBuf::from("rules/ioc/hashes.txt"), ips_path: PathBuf::from("rules/ioc/ips.txt"), domains_path: PathBuf::from("rules/ioc/domains.txt"), paths_regex_path: PathBuf::from("rules/ioc/paths_regex.txt"), default_severity: "high".to_string(), max_file_size_mb: 50, hash_allowlist_paths: vec!["/usr/bin/".to_string()], }; let engine = IocEngine::load(&cfg); let stats = engine.stats(); println!("IOC stats: {} MD5, {} SHA256, {} IPs, {} domains, {} path regexes", stats.md5, stats.sha256, stats.ip, stats.domain_exact + stats.domain_suffix, stats.path_regex); // Inline domain/IP/path-regex check on a normalized event let matches = engine.check_event(&event); for m in &matches { println!("IOC match: {:?} indicator={}", m.kind, m.indicator); // Output: IOC match: Domain indicator=evil.example.org } // Background hash check (called from the hash worker after computing file digests) use rustinel::ioc::ComputedHashes; let hashes = ComputedHashes { md5: Some("0c2674c3a97c53082187d930efb645c2".to_string()), sha1: None, sha256: Some("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855".to_string()), }; let hash_matches = engine.match_hashes(&hashes); if !hash_matches.is_empty() { println!("Hash IOC hit on executable"); } ``` ``` -------------------------------- ### Extract Rustinel Release Package on Windows Source: https://github.com/karib0u/rustinel/blob/main/README.md Download the Windows release package and extract it. Then, navigate to the extracted directory and run the agent. ```text rustinel--x86_64-pc-windows-msvc.zip ``` ```powershell cd .\rustinel--x86_64-pc-windows-msvc .aseline.exe run --console whoami /all ``` -------------------------------- ### Active Response Log Messages Source: https://github.com/karib0u/rustinel/blob/main/docs/active-response.md Examples of log messages generated by the active response engine, indicating would-be terminations, actual terminations, and skipped actions due to allowlisting. ```text response: Active response would terminate process pid=4242 image="/tmp/evil" dry_run=true response: Active response terminated process pid=4242 image="/tmp/evil" response: Active response skipped: allowlisted pid=4321 image="/usr/bin/bash" ``` -------------------------------- ### Load Sigma Rules and Check Events with Rustinel Engine Source: https://context7.com/karib0u/rustinel/llms.txt Initializes a Rustinel Sigma engine for Linux with debug logging, loads rules from a specified directory, and checks a sample process creation event against the loaded rules. Ensure Sigma rules are present in the 'rules/sigma' directory. ```rust use rustinel::engine::Engine; use rustinel::models::{MatchDebugLevel, NormalizedEvent, EventCategory, EventFields, ProcessCreationFields}; use rustinel::sensor::Platform; // Build a Linux engine with debug-level match metadata in alerts let mut engine = Engine::new_for_platform_with_logging_level_and_match_debug( Platform::Linux, "info", MatchDebugLevel::Summary, ); // Load all .yml rules from a directory (recursive) engine.load_rules("rules/sigma").expect("failed to load Sigma rules"); let stats = engine.stats(); println!("Loaded {} rules across {} logsource families", stats.total_rules, stats.rules_by_logsource.len() ); // Output: Loaded 2 rules across 1 logsource families // Construct a normalized process_creation event let event = NormalizedEvent { timestamp: "2025-06-01T12:00:00Z".to_string(), platform: Platform::Linux, provider: "ebpf".to_string(), category: EventCategory::Process, event_id: 1, event_id_string: "1".to_string(), opcode: 1, fields: EventFields::ProcessCreation(ProcessCreationFields { image: Some("/usr/bin/whoami".to_string()), command_line: Some("whoami".to_string()), process_id: Some("4242".to_string()), user: Some("root".to_string()), parent_image: Some("/usr/bin/bash".to_string()), parent_command_line: Some("/usr/bin/bash -i".to_string()), ..Default::default() }), process_context: None, }; // Evaluate against all loaded rules if let Some(alert) = engine.check_event(&event) { println!("Detection: {} [severity={:?}]", alert.rule_name, alert.severity); // Output: Detection: Example - Whoami Execution (Linux) [severity=Low] } ``` -------------------------------- ### Set Allowlist Paths via Environment Variable (Bash) Source: https://github.com/karib0u/rustinel/blob/main/docs/configuration.md Specify paths to be excluded from scanning or other operations by setting the EDR__ALLOWLIST__PATHS environment variable in Bash. This example includes Linux paths. ```bash export EDR__ALLOWLIST__PATHS='["/usr/bin/", "/usr/sbin/"]' ``` -------------------------------- ### Windows Active Response Configuration Source: https://github.com/karib0u/rustinel/blob/main/docs/active-response.md Configure Rustinel's active response engine for Windows, including allowlisted paths and minimum severity. ```toml [allowlist] paths = [ "C:\\Windows\\", "C:\\Program Files\\", "C:\\Program Files (x86)\", ] [response] enabled = true prevention_enabled = false min_severity = "critical" allowlist_images = [] ``` -------------------------------- ### Set Allowlist Paths via Environment Variable (PowerShell) Source: https://github.com/karib0u/rustinel/blob/main/docs/configuration.md Specify paths to be excluded from scanning or other operations by setting the EDR__ALLOWLIST__PATHS environment variable in PowerShell. This example includes Windows paths. ```powershell $env:EDR__ALLOWLIST__PATHS='["C:\\Windows\", "C:\\Program Files\\"]' ``` -------------------------------- ### Recommended Dev Run (Windows) Source: https://github.com/karib0u/rustinel/blob/main/docs/development.md Run the application with console output enabled on Windows. ```powershell cargo run -- run --console ``` -------------------------------- ### Basic CLI Usage Source: https://github.com/karib0u/rustinel/blob/main/docs/cli.md The fundamental structure for invoking Rustinel commands and options. Running without a command defaults to 'run'. ```text rustinel [COMMAND] [OPTIONS] ``` -------------------------------- ### Run Rustinel Tests Source: https://context7.com/karib0u/rustinel/llms.txt Command to execute the test suite for Rustinel. ```bash # Run tests cargo test ``` -------------------------------- ### Run Rustinel in Foreground with Debug Logging (Windows) Source: https://github.com/karib0u/rustinel/blob/main/docs/troubleshooting.md Use this command to run Rustinel in the foreground with detailed debug logs for troubleshooting startup or operational issues on Windows. ```bash .\rustinel.exe run --console --log-level debug ``` -------------------------------- ### Linux Active Response Configuration Source: https://github.com/karib0u/rustinel/blob/main/docs/active-response.md Configure Rustinel's active response engine for Linux, including allowlisted paths and minimum severity. ```toml [allowlist] paths = [ "/usr/bin/", "/usr/sbin/", ] [response] enabled = true prevention_enabled = false min_severity = "critical" allowlist_images = [] ``` -------------------------------- ### Verify First Alert on Windows (Sigma Demo) Source: https://github.com/karib0u/rustinel/blob/main/docs/getting-started.md Execute the 'whoami /all' command in an elevated PowerShell to trigger a Sigma rule and check for an alert in the logs. ```powershell whoami /all ``` -------------------------------- ### Verify First Alert on Linux (Sigma Demo) Source: https://github.com/karib0u/rustinel/blob/main/docs/getting-started.md Execute the 'whoami' command to trigger a Sigma rule and check for an alert in the logs. ```bash whoami ``` -------------------------------- ### Load and Check IOCs with IocEngine in Rust Source: https://context7.com/karib0u/rustinel/llms.txt Configure and load IOC indicators using `IocConfig`. Use `IocEngine::load` to compile indicators and `check_event` for inline matching. `match_hashes` is for background file hash verification. ```rust use rustinel::ioc::IocEngine; use rustinel::config::IocConfig; use std::path::PathBuf; let cfg = IocConfig { enabled: true, hashes_path: PathBuf::from("rules/ioc/hashes.txt"), ips_path: PathBuf::from("rules/ioc/ips.txt"), domains_path: PathBuf::from("rules/ioc/domains.txt"), paths_regex_path: PathBuf::from("rules/ioc/paths_regex.txt"), default_severity: "high".to_string(), max_file_size_mb: 50, hash_allowlist_paths: vec!["/usr/bin/".to_string()], }; let engine = IocEngine::load(&cfg); let stats = engine.stats(); println!("IOC stats: {} MD5, {} SHA256, {} IPs, {} domains, {} path regexes", stats.md5, stats.sha256, stats.ip, stats.domain_exact + stats.domain_suffix, stats.path_regex); // Inline domain/IP/path-regex check on a normalized event let matches = engine.check_event(&event); for m in &matches { println!("IOC match: {:?} indicator={}", m.kind, m.indicator); // Output: IOC match: Domain indicator=evil.example.org } // Background hash check (called from the hash worker after computing file digests) use rustinel::ioc::ComputedHashes; let hashes = ComputedHashes { md5: Some("0c2674c3a97c53082187d930efb645c2".to_string()), sha1: None, sha256: Some("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855".to_string()), }; let hash_matches = engine.match_hashes(&hashes); if !hash_matches.is_empty() { println!("Hash IOC hit on executable"); } ``` -------------------------------- ### YARA Rules Demo Source: https://context7.com/karib0u/rustinel/llms.txt Demonstrates how to use YARA rules for file and memory scanning, including building and running a demo target. ```APIDOC ## YARA Rules: file and memory scanning YARA rules are standard `.yar` or `.yara` files placed at the top level of `scanner.yara_rules_path` (non-recursive). Rustinel compiles them at startup and again on hot-reload. Every process-start event queues the executable path to a background file scanner. When `scanner.yara_memory_enabled = true`, process IDs are also queued to a memory scanner that reads private regions after a configurable delay. ```yara // rules/yara/example_test_string.yar rule ExampleMarkerString { strings: $a = "RUSTINEL_TEST_MARKER" ascii wide condition: $a } // rules/yara/suspicious_powershell.yar rule SuspiciousPowerShellDownload { meta: description = "Detects PowerShell download cradle patterns" severity = "high" strings: $iwr = "Invoke-WebRequest" ascii wide nocase $iwrn = "IWR " ascii wide nocase $dnld = "DownloadString" ascii wide nocase $exec = "IEX(" ascii wide nocase condition: any of ($iwr, $iwrn, $dnld) and $exec } ``` ```bash # Build and run the bundled YARA demo target (triggers ExampleMarkerString) rustc ./examples/yara_demo.rs -o ./examples/yara_demo ./examples/yara_demo # Expected alert in logs/alerts.json.: # {"rule.name":"ExampleMarkerString","edr.rule.engine":"Yara","edr.rule.severity":"Critical",...} ``` ``` -------------------------------- ### Run Basic Cargo Commands Source: https://github.com/karib0u/rustinel/blob/main/CONTRIBUTING.md Use these commands for quick checks and tests. 'cargo check' is for fast syntax and type checking, while 'cargo test' runs the full test suite. ```sh cargo check # fast syntax + type check ``` ```sh cargo test # run the test suite ``` ```sh cargo clippy --all-targets -- -D clippy::all ``` ```sh cargo fmt --all ``` -------------------------------- ### Linux Upgrade: Rebuild From Source And Restart Source: https://github.com/karib0u/rustinel/blob/main/docs/operations.md Upgrade Rustinel on Linux by rebuilding from source code and then restarting the systemd service. This is suitable when you have the source code available. ```bash cd /opt/src/rustinel git pull cargo build --release sudo install -m 0755 ./target/release/rustinel /opt/rustinel/rustinel sudo systemctl restart rustinel ``` -------------------------------- ### Run Rustinel in Foreground with Debug Logging (Linux) Source: https://github.com/karib0u/rustinel/blob/main/docs/troubleshooting.md Use this command to run Rustinel in the foreground with detailed debug logs for troubleshooting startup or operational issues on Linux. ```bash sudo ./rustinel run --log-level debug ``` -------------------------------- ### Configure Rustinel Active Response Source: https://context7.com/karib0u/rustinel/llms.txt Enable active response and set minimum severity. Ensure `prevention_enabled` is false for initial dry-run validation. ```toml [response] enabled = true prevention_enabled = false # flip to true after validating dry-run output min_severity = "critical" channel_capacity = 128 allowlist_images = [ "sshd", "systemd", "systemd-journald", # Linux "smss.exe", "csrss.exe", "lsass.exe", # Windows ] # allowlist_paths inherits [allowlist].paths when empty ``` -------------------------------- ### Run All Tests Source: https://github.com/karib0u/rustinel/blob/main/docs/development.md Execute all unit and integration tests. The `--locked` flag ensures consistent dependency versions. ```bash cargo test --locked ``` -------------------------------- ### Extract Rustinel Release Package on Linux Source: https://github.com/karib0u/rustinel/blob/main/README.md Extract the appropriate Linux release archive for your architecture. Navigate to the extracted directory and run the agent. ```text rustinel--x86_64-unknown-linux-musl.tar.gz ustinel--aarch64-unknown-linux-musl.tar.gz ``` ```bash tar xzf rustinel--x86_64-unknown-linux-musl.tar.gz cd rustinel--x86_64-unknown-linux-musl sudo ./rustinel run whoami ``` -------------------------------- ### Linux Upgrade: eBPF-Only Iteration Source: https://github.com/karib0u/rustinel/blob/main/docs/operations.md For development cycles focusing on eBPF changes, rebuild only the eBPF object and run the main Rustinel binary with an override for the eBPF object path. This avoids rebuilding the entire userspace binary. ```bash cd /opt/src/rustinel/ebpf cargo +nightly build --release --bin rustinel-ebpf cp target/bpfel-unknown-none/release/rustinel-ebpf rustinel-ebpf.o cd /opt/src/rustinel sudo env RUSTINEL_EBPF_OBJECT=$PWD/ebpf/rustinel-ebpf.o ./target/release/rustinel run ``` -------------------------------- ### Run Rustinel with Elevated Privileges (Bash) Source: https://github.com/karib0u/rustinel/blob/main/docs/configuration.md Execute the Rustinel executable using sudo in Bash. This is often required for system-level operations on Linux. ```bash sudo /opt/rustinel/rustinel run ``` -------------------------------- ### Linux Upgrade: Release Binary Upgrade Source: https://github.com/karib0u/rustinel/blob/main/docs/operations.md Upgrade Rustinel on Linux by replacing the existing binary with a newly downloaded release binary and restarting the systemd service. ```bash sudo install -m 0755 ./rustinel /opt/rustinel/rustinel sudo systemctl restart rustinel ```