Listen to this Post
Introduction:
The cybersecurity world is often a fragmented mess of proprietary tools, especially when it comes to endpoint detection for mixed Windows and Linux environments. Rustinel, a Rust-based open-source EDR, is emerging as a powerful, transparent alternative, unifying telemetry collection via ETW on Windows and eBPF on Linux into a single, hackable detection pipeline that outputs ECS NDJSON alerts ready for your SIEM.
Learning Objectives:
- Deploy and configure the Rustinel agent on both Windows and Linux systems from the official source.
- Learn to write and integrate a custom Sigma rule for behavioral detection and forward alerts to a Splunk SIEM.
- Understand how to use Rustinel’s three detection engines (Sigma, YARA, IOC) for a layered defense strategy.
You Should Know:
1. Deploying Rustinel: A Cross-Platform Installation Guide
Rustinel is designed for quick deployment. The following commands will get the agent running and generating its first test alert on both Windows and Linux. The official release archives include a config.toml, demo rules, and an empty `logs/` directory.
Step‑by‑step guide explaining what this does and how to use it.
– On Linux: The following script downloads and executes the latest release binary. The command `sudo ./rustinel run whoami` will run the agent and trigger the demo rule, producing an alert.
Download and run the install script curl -fsSL https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh | sh -s -- --run Alternatively, inspect the script first curl -fsSLO https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.sh less install.sh sh install.sh --run Navigate to the extracted directory and run the agent sudo ./rustinel run whoami View the generated alert cat logs/alerts.json.
- On Windows (PowerShell as Administrator): The PowerShell script automates the installation. Running `.\rustinel.exe run whoami /all` will generate a test alert.
Download the installation script Invoke-WebRequest https://raw.githubusercontent.com/Karib0u/rustinel/main/scripts/install/install.ps1 -OutFile install-rustinel.ps1 Run the script with the -Run flag powershell -ExecutionPolicy Bypass -File .\install-rustinel.ps1 -Run Navigate to the extracted directory and run the agent .\rustinel.exe run whoami /all View the alert file Get-Content .\logs\alerts.json.
- Integrating with a SIEM: Forwarding Alerts to Splunk
Rustinel’s ECS NDJSON alerts are designed for easy ingestion into any SIEM. This guide demonstrates setting up a local Splunk instance using the provided Docker demo to forward and search alerts.
Step‑by‑step guide explaining what this does and how to use it.
This process uses a Docker container to run Splunk, configures an HTTP Event Collector (HEC), and then uses a Python script to send Rustinel’s alert file to Splunk.
– Step 1: Navigate to the Splunk demo directory.
cd examples/siem/splunk
– Step 2: Start the Splunk container.
docker compose up -d
– Step 3: Run the Python script to send alerts. Replace the path with your actual `alerts.json` file.
python3 send-alerts.py /path/to/rustinel/logs/alerts.json.$(date +%Y-%m-%d)
– Step 4: Access Splunk web interface at http://localhost:8000` with credentials `admin` /ChangeMe123!`.
– Step 5: Search for alerts. In the Splunk search bar, enter:
index=main source=rustinel sourcetype=_json event.kind=alert
- Verification: After running the agent and triggering a test event (e.g., `whoami` on Linux), you should see the alert in your Splunk search results.
3. Writing Your First Sigma Rule
Sigma rules provide a platform-agnostic way to define behavioral detection logic. Rustinel’s detection engine consumes these rules directly.
Step‑by‑step guide explaining what this does and how to use it.
This guide creates a simple Sigma rule to detect the execution of `netstat` with the `-ano` flags, a common enumeration technique.
– Step 1: Create a new YAML file for the rule. Name it `netstat_enumeration.yml` in your Sigma rules directory.
– Step 2: Add the rule content. The rule defines a log source (process_creation) and a selection condition to match the command line.
title: Netstat Network Enumeration id: 12345678-1234-1234-1234-123456789abc status: experimental description: Detects execution of netstat with -ano flags for network enumeration. author: Your Name date: 2026-06-10 logsource: category: process_creation product: windows detection: selection: CommandLine|contains|all: - 'netstat' - '-ano' condition: selection level: medium
– Step 3: Reference the rule in your Rustinel config.toml. Update the `sigma_rules_path` to point to the directory containing your new rule.
[bash] sigma_rules_path = "/path/to/your/sigma/rules"
– Step 4: Restart or hot-reload Rustinel for the changes to take effect. The engine supports hot-reloading, so a restart may not be necessary.
– Step 5: Test the detection. Run `netstat -ano` on the monitored endpoint and check the alerts log for a matching entry.
4. Leveraging Detection Packs: From Essentials to Hunting
Rustinel organizes detection content into curated packs, making it easy to scale your coverage. These packs are versioned, tested, and can be loaded directly into the engine.
Step‑by‑step guide explaining what this does and how to use it.
The official `rustinel-rules` repository provides packs for Windows, Linux, and macOS at different confidence levels. This guide shows how to use the Essential pack for low-1oise, high-confidence detections.
– Step 1: Clone the `rustinel-rules` repository.
git clone https://github.com/Karib0u/rustinel-rules.git cd rustinel-rules
– Step 2: Build the packs. The repository uses a Python script to validate and build the detection packs.
uv sync uv run python tools/validate.py uv run python tools/build_packs.py
– Step 3: Configure Rustinel to use a specific pack. The built packs will be in the `dist/` directory. Point your `config.toml` to the appropriate folders for Sigma, YARA, and IOC rules. For example, for the Windows Essential pack:
[bash] sigma_rules_path = "dist/windows-essential/rules/sigma" yara_rules_path = "dist/windows-essential/rules/yara" [bash] hashes_path = "dist/windows-essential/rules/ioc/hashes.txt" ips_path = "dist/windows-essential/rules/ioc/ips.txt" domains_path = "dist/windows-essential/rules/ioc/domains.txt" paths_regex_path = "dist/windows-essential/rules/ioc/paths_regex.txt"
- Step 4: Run Rustinel with the new configuration. The engine will load the content from the specified pack and begin detecting threats accordingly.
- Understanding Rustinel’s Architecture: ETW, eBPF, and the Detection Engine
Rustinel’s power lies in its transparent, four-stage pipeline: Collect, Normalize, Detect, Alert. This architecture ensures that every byte of telemetry follows the same path from kernel to SIEM.
Step‑by‑step guide explaining what this does and how to use it.
– Stage 1: Collect. On Windows, Rustinel taps into ETW providers like `Kernel-Process` and Kernel-1etwork. On Linux, eBPF programs attach to tracepoints and kprobes. For example, to verify eBPF hooks on Linux, run the agent with verbose logging:
sudo RUST_LOG=debug ./rustinel run
– Stage 2: Normalize. Raw events from both platforms are transformed into a single `NormalizedEvent` model using Sysmon-style field names.
– Stage 3: Detect. The normalized event is evaluated inline through the Sigma engine and IOC matcher. Process-start events are queued for YARA scanning by background workers. You can monitor rule evaluation in real-time by setting `match_debug: full` in your Sigma rule.
– Stage 4: Alert. Detection hits are written as ECS-shaped NDJSON to disk, making them immediately usable by any SIEM. To understand the alert structure, examine a sample file:
head -1 1 logs/alerts.json. | jq .
This command will pretty-print the first JSON alert, showing fields like event.kind, rule.name, and host.name.
- Active Response and Mitigation: From Detection to Action
Rustinel can optionally terminate malicious processes, closing the detection-to-response loop. This functionality includes a dry-run mode and allowlists to prevent disruption of trusted applications.
Step‑by‑step guide explaining what this does and how to use it.
– Step 1: Configure active response in config.toml.
[bash] enabled = true dry_run = true Start with dry-run to test without actually killing processes allowlist_paths = ["/usr/bin/trusted_app", "C:\Program Files\Trusted"]
– Step 2: Run Rustinel. With dry_run = true, the agent will log which processes it would terminate without actually taking action.
– Step 3: Review the logs to ensure no false positives. After validation, change `dry_run = false` to enable active termination.
– Step 4: Monitor for effectiveness. Check the alerts log for `active_response` entries that indicate when a process was terminated.
What Undercode Say:
- Key Takeaway 1: Rustinel is a masterclass in transparent, open-source security, proving that you don’t need a black-box commercial EDR to achieve robust endpoint detection. By unifying ETW and eBPF telemetry into a single Rust codebase, it empowers blue teams to truly understand and control their detection pipeline.
- Key Takeaway 2: The project’s architecture, with its three parallel detection engines (Sigma, YARA, IOC) and hot-reloadable rules, makes it an ideal platform for detection engineering and threat hunting. However, its user-mode design is a conscious trade-off: while it avoids the stability risks of kernel drivers, it cannot provide the same level of tamper resistance or deep kernel visibility as commercial solutions. This makes it a powerful tool for environments where stability and transparency are prioritized over absolute, low-level protection.
Prediction:
- +1 Rustinel is poised to become a foundational tool for security researchers and open-source advocates, driving innovation in detection engineering and lowering the barrier to entry for EDR technology.
- -1 In its current form, Rustinel is not a replacement for mature commercial EDRs in high-risk environments due to its user-mode limitations and potential vulnerability to telemetry-tampering and kernel-level threats.
- +1 The project’s open nature and support for community detection formats will likely accelerate the development of high-quality, cross-platform Sigma rules and YARA signatures, benefiting the entire cybersecurity ecosystem.
▶️ Related Video (80% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Theofchr Opensource – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
