Open-source endpoint detection for Windows, Linux, and macOS.
Native telemetry → Sigma / YARA / IOC detection → SIEM-ready alerts. Written in Rust.

Website · Docs · Download · SIEM demos

Rustinel ships as a single binary with bundled demo rules. Install it, trigger a test command, and read the alert.

Linux & macOS

curl -fsSL https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh | sh -s -- --run

Windows — from an elevated PowerShell:

Invoke-WebRequest https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.ps1 -OutFile install-rustinel.ps1
powershell -ExecutionPolicy Bypass -File .\install-rustinel.ps1 -Run

With the agent running, fire the bundled demo rule — same command on every platform:

whoami

Your alert lands in logs/alerts.json.<date> as ECS NDJSON — ready to ship straight to a SIEM.

Prefer to read before you run? Download the install script and inspect it, or grab a binary from the latest release. The installer only pulls published release binaries — it never builds from source. macOS support is experimental and needs root plus an Endpoint Security entitlement; see Getting Started.

A transparent endpoint detection engine you can read, run, test, and extend — no black box.

• Native telemetry — ETW on Windows, eBPF on Linux, Endpoint Security + /dev/bpf on macOS, normalized into one shared event model.
• Three detection layers — Sigma for behavior, YARA for files and memory, IOC matching for hashes, IPs, domains, and path regexes.
• Reuse community rules — bring existing Sigma and YARA rules instead of rewriting them into a proprietary format.
• SIEM-ready output — ECS 9.4.0 NDJSON alerts that drop into Elastic, Splunk, and friends.
• Operational basics — hot-reload for rules and IOCs, optional active response with dry-run + allowlists, Windows service and launchd support.

Windows coverage is the broadest today; Linux and macOS focus on process, network, file, and DNS. macOS is experimental while the project awaits the Endpoint Security entitlement. Full notes in the platform docs.

  ETW (Windows) · eBPF (Linux) · ESF + /dev/bpf (macOS)
                        │
              Normalized event model
                        │
        ┌───────────────┼───────────────┐
      Sigma            YARA             IOC
    behavior        files +         hashes, IPs,
      rules          memory         domains, paths
        └───────────────┼───────────────┘
                        │
                ECS NDJSON alerts
                        │
              Optional active response

See the detection docs for rule authoring, YARA memory scanning, and IOC formats.

The bundled rules just prove the pipeline works. For real coverage, load curated content from rustinel-rules — the official, versioned, CI-tested detection repository.

rustinel        →  the engine that collects telemetry and evaluates rules
rustinel-rules  →  the Sigma / YARA / IOC packs it loads  (no conversion step)

Each pack materializes into folders you point config.toml straight at. Browse the pack catalog to get started.

Use it for detection engineering, rule development and testing, blue-team labs, cross-platform detection research, and SIEM pipeline validation.

It is not a drop-in replacement for a mature commercial EDR. Rustinel does not provide kernel-level self-protection, pre-execution blocking, or anti-tamper guarantees, and a sufficiently privileged attacker may interfere with user-mode telemetry. It is a transparent detection engine — not a managed response platform.

cargo build --release
sudo ./target/release/rustinel run   # macOS also needs codesigning with the ESF entitlement — see docs

Full prerequisites, macOS signing steps, and validation: Getting Started.

Website · Docs home · Getting Started · Configuration · Detection · Architecture · Operations · Troubleshooting · FAQ · Detection rules · Roadmap

Testing, feedback, and detection ideas are all welcome — see CONTRIBUTING.md.

Apache 2.0.