Open-source endpoint detection for Windows, Linux, and macOS.
Native telemetry to Sigma, YARA, IOC detection, and SIEM-ready alerts. Written in Rust.
Website | Docs | Download | SIEM demos
Rustinel ships release archives with a binary, default config, demo rules, and a
logs/ directory.
Windows - test from PowerShell:
irm https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.ps1 | iexThen deploy from an elevated PowerShell and diagnose the managed installation:
rustinel setup --yes
rustinel doctorThe Windows release binary requires the x64 Microsoft Visual C++ Redistributable. See Getting Started if the process exits before printing output.
Linux - test, deploy, and diagnose:
curl -fsSL https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh | sh -s -- --run
sudo rustinel setup --yes
rustinel doctormacOS (experimental)
curl -fsSL https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh | sh
cd rustinelmacOS requires a one-time Full Disk Access approval before Endpoint Security can start. Follow the Getting Started macOS notes before using it beyond a first test.
sudo ./rustinel runAfter Full Disk Access is granted, deploy and diagnose the managed installation:
sudo ./rustinel setup --yes
./rustinel doctorWith the agent running, trigger the bundled demo rule:
whoamiAlerts are written to logs/alerts.json.<date> as ECS NDJSON.
Prefer to inspect first? Download the install script or a package from the latest release. Installers only download published release binaries.
A transparent endpoint detection engine you can read, run, test, and extend.
- Native telemetry: ETW on Windows, eBPF on Linux, Endpoint Security and
/dev/bpfon macOS. - Detection formats: Sigma for behavior, YARA for files and memory, IOC matching for hashes, IPs, domains, and path regexes.
- Rule reuse: bring existing Sigma and YARA rules instead of rewriting them into a proprietary format.
- SIEM output: ECS 9.4.0 NDJSON alerts for Elastic, Splunk, and other log pipelines.
- Operations: hot reload for rules and IOCs, optional active response on Windows and Linux only; macOS is detection-only today. Includes Windows service support and launchd packaging notes.
| Platform | Sensor | Telemetry | Status |
|---|---|---|---|
| Windows 10/11, Server 2016+ | ETW | Process, image load, network, file, registry, DNS, PowerShell, WMI, service, task | Stable |
| Linux 5.8+ (BTF) | eBPF | Process, network, file, DNS | Stable |
| macOS 11+ | Endpoint Security + /dev/bpf |
Process, file, network, DNS | Experimental |
Windows coverage is the broadest today. Linux and macOS focus on process, network, file, and DNS telemetry. macOS remains experimental. Current gaps are listed in Limitations.
ETW (Windows) | eBPF (Linux) | ESF + /dev/bpf (macOS)
│
Normalized event model
│
┌───────────────┼───────────────┐
Sigma YARA IOC
behavior files + hashes, IPs,
rules memory domains, paths
└───────────────┼───────────────┘
│
ECS NDJSON alerts
│
Optional active response
See the detection docs for rule authoring, YARA memory scanning, and IOC formats.
The bundled rules only prove that the pipeline works. For real coverage, load curated content from rustinel-rules, the official versioned detection repository.
rustinel -> the engine that collects telemetry and evaluates rules
rustinel-rules -> the Sigma, YARA, and IOC packs it loads
Each pack materializes into folders you point config.toml straight at. Browse the pack catalog to get started.
Use it for detection engineering, rule development and testing, blue-team labs, cross-platform detection research, and SIEM pipeline validation.
It is not a drop-in replacement for a mature commercial EDR. Rustinel does not provide kernel-level self-protection, pre-execution blocking, anti-tamper guarantees, or managed response. A sufficiently privileged attacker may interfere with user-mode telemetry.
cargo build --release
sudo ./target/release/rustinel runmacOS requires the app-like signed bundle described in Getting Started.
Website | Docs home | Getting Started | Configuration | Detection | Architecture | Operations | Troubleshooting | FAQ | Detection rules | Roadmap
Testing, feedback, and detection ideas are welcome. See CONTRIBUTING.md.

