Rustinel v1.0.0

Rustinel v1.0.0

v1.0.0 is the first official stable release of Rustinel.

This release brings official Linux support alongside Windows, with a shared cross-platform detection pipeline. Rustinel collects host telemetry through ETW on Windows and eBPF on Linux, normalizes events into one model, evaluates Sigma, YARA, and IOC detections, writes ECS 9.3.0 NDJSON alerts, and can optionally terminate malicious processes.

Highlights

• First official stable Rustinel release
• Official Windows support via ETW
• Official Linux support via eBPF
• Shared detection pipeline across both platforms
• Sigma, YARA, and IOC detection support
• Hot reload for Sigma, YARA, and IOC files
• Expanded documentation for setup, operations, troubleshooting, and architecture
• Updated CI/CD and release packaging for Windows x86_64, Linux x86_64, and Linux arm64

Downloads

Platform	Architecture	Package
Windows	x86_64	rustinel-1.0.0-x86_64-pc-windows-msvc.zip
Linux	x86_64	rustinel-1.0.0-x86_64-unknown-linux-musl.tar.gz
Linux	arm64	rustinel-1.0.0-aarch64-unknown-linux-musl.tar.gz

Checksums are available in rustinel-1.0.0-checksums-sha256.txt.

What Changed

• Added a Linux eBPF sensor with process, network, file, and DNS telemetry
• Split the sensor stack into explicit Windows and Linux paths while keeping one shared userspace engine
• Improved normalization and rule handling so Windows and Linux events can be evaluated through the same detection model
• Added platform-specific demo Sigma rules: rules/sigma/windows_whoami.yml and rules/sigma/linux_whoami.yml
• Added rustinel.service for Linux deployments using systemd
• Added new operator docs, including Operations, Troubleshooting, and FAQ guides
• Updated the release workflow to lint, test, package, and publish all supported targets

Full Changelog: v0.4.0...v1.0.0

Rustinel v0.4.0

Release Notes — v0.4.0

What's new

Hot-reload for detection engines (src/reload/)

Rules and IOC feeds can now be updated on disk without restarting the agent. A background poller detects changes to Sigma rule files, YARA rule files, and IOC feed files. When a change is detected, a debounced worker rebuilds the affected engine and atomically swaps it in via arc-swap. Running detections are never interrupted — the swap is wait-free from the hot path's perspective.

Key properties:

• Safety: empty reload results are rejected; the previous engine stays active if a rebuild produces zero rules/IOCs.
• Configurable: reload.debounce_ms controls how long to wait before rebuilding after the last detected change (default: 2000 ms, minimum effective cadence: 2000 ms).
• Opt-out: set reload.enabled = false in config.toml (or EDR__RELOAD__ENABLED=false) to disable entirely.

New config section (config.toml):

[reload]
enabled = true
debounce_ms = 2000

YARA scan result cache (src/scanner/)

Repeated YARA scans of the same binary are now cached by file identity (path, size, mtime). Cache entries expire after 6 hours and the cache is capped at 10 000 entries. This avoids redundant full scans when the same process executable starts multiple times in a short window (e.g. shell spawns, service restarts).

Changes

Area	Change
src/reload/mod.rs	New. DetectorStore, ReloadTarget, spawn_reload_worker, spawn_reload_poller
src/scanner/mod.rs	Added YaraScanCache with TTL and LRU cap
src/config.rs	Added ReloadConfig; Clone derived on all config structs
src/main.rs	Wired DetectorStore; conditional reload worker/poller; IOC init moved earlier
config.toml	Added [reload] section
Cargo.toml	Added arc-swap = "1.7"
src/ioc/mod.rs	HashRequirements now derives PartialEq, Eq
docs/	Configuration reference, architecture, and getting-started updated
README.md	Feature list updated to reflect hot-reload and IOC detection

CI

cargo check   ✅  clean
cargo test    ✅  96 passed, 0 failed

Upgrade notes

No action required for existing deployments. The new [reload] config section has defaults that match the previous (static) behavior extended with hot-reload enabled. To pin the old static behavior, add:

[reload]
enabled = false

Installation

1. Download rustinel-0.4.0-x86_64-pc-windows-msvc.zip
2. Extract to your desired location
3. Review and customize config.toml
4. Add Sigma rules to rules/sigma/
5. Add YARA rules to rules/yara/
6. Populate IOC templates in rules/ioc/ (hashes.txt, ips.txt, domains.txt, paths_regex.txt)
7. Run as Administrator: .\rustinel.exe run

Requirements

• Windows 10/11 or Server 2016+ (x64)
• Administrator privileges (required for ETW access)
• Rust runtime NOT required (statically linked binary)

What's Changed

See auto-generated release notes below.

Full Changelog: v0.3.1...v0.4.0

Rustinel v0.3.1

🚀 Rustinel v0.3.1

🎯 What's Changed

🔧 Maintenance & Dependencies

• Upgraded core dependencies for improved security and compatibility

✨ Enhancements

• Added IOC templates to release package

🔄 Breaking Changes

• Removed support for named pipe events and related mappings from the detection engine and documentation

Installation

1. Download rustinel-0.3.1-x86_64-pc-windows-msvc.zip
2. Extract to your desired location
3. Review and customize config.toml
4. Add Sigma rules to rules/sigma/
5. Add YARA rules to rules/yara/
6. Populate IOC templates in rules/ioc/ (hashes.txt, ips.txt, domains.txt, paths_regex.txt)
7. Run as Administrator: .\rustinel.exe run

Requirements

• Windows 10/11 or Server 2016+ (x64)
• Administrator privileges (required for ETW access)
• Rust runtime NOT required (statically linked binary)

What's Changed

See auto-generated release notes below.

What's Changed

• Chore/dependency upgrade by @Karib0u in #1

New Contributors

• @Karib0u made their first contribution in #1

Full Changelog: v0.3.0...v0.3.1

Rustinel v0.3.0

v0.3.0 - IOC Engine, Detection Optimizations, and ECS 9.3.0 Output

Overview

Rustinel v0.3.0 introduces a full atomic IOC detection engine and ships major pipeline optimizations across Sigma, YARA, and enrichment paths. This release also upgrades alert output to ECS 9.3.0 with richer context fields.

Highlights

1. New Atomic IOC Detection Engine

New module: src/ioc/mod.rs

Supported indicator types:

• Hashes (rules/ioc/hashes.txt): MD5/SHA1/SHA256 (auto-detected by length)
• IP/CIDR (rules/ioc/ips.txt)
• Domains (rules/ioc/domains.txt): exact and suffix (. / *.)
• Path Regex (rules/ioc/paths_regex.txt): case-insensitive RegexSet

Detection behavior:

• Domain/IP/path checks run inline on normalized events.
• Hash checks run on process start in a dedicated blocking worker.
• Hash worker enforces:
  • allowlist path skip
  • max_file_size_mb limit
  • file identity cache (path + size + mtime) to skip unchanged binaries

IOC file format:

• # and // comments supported
• value;comment inline annotations supported
• Empty lines ignored

Alert behavior:

• rule.name format: ioc:<type>:<indicator>
• Engine: edr.rule.engine = "Ioc"
• Severity from ioc.default_severity (default: high)
• IOC comments/source metadata are included via rule.description

Note: files in rules/ioc/ are templates with format guidance, not populated threat feeds.

2. Sigma Engine Optimizations

Changes in src/engine/mod.rs:

• Rules are filtered at load time for unsupported logsource:
  • category
  • product
  • service
• Skip counters are tracked and logged (skipped_category_rules, skipped_product_rules, skipped_service_rules).
• Sigma condition strings are transpiled and precompiled at startup.
• Hot-path evaluation uses precompiled condition trees (no per-event condition parse/compile).
• Rule description now propagates to alerts.

3. YARA Pipeline Improvements

Changes in src/scanner/mod.rs and src/main.rs:

• YARA worker now runs via spawn_blocking.
• Allowlist checks are applied both:
  • before queueing
  • in the worker thread (defense in depth)
• Scanner returns structured rule matches (rule/tag/namespace/string matches), not only rule names.
• Match output is controlled by alerts.match_debug.

4. Hot-Path Allocation Reduction

Changes in src/normalizer/mod.rs:

• Normalizer no longer attaches process_context to every normalized event.
• Process context enrichment is now lazy and applied only when an alert is emitted.
• This removes unnecessary cloning for non-alert events.

5. Shared Allowlists and Config Expansion

New config capabilities (src/config.rs, config.toml):

• New global allowlist section:
  • [allowlist].paths
• Fallback propagation when module lists are empty:
  • response.allowlist_paths
  • ioc.hash_allowlist_paths
  • scanner.yara_allowlist_paths
• New [ioc] section (engine enablement, file paths, severity, hash size limit, hash allowlist override).
• New alert debug level:
  • alerts.match_debug = off | summary | full

6. Alert Model and ECS Output Upgrade

Model updates (src/models/mod.rs):

• Add DetectionEngine::Ioc.
• Add Alert.rule_description.
• Add Alert.match_details (Sigma/YARA match context).

ECS mapping updates (src/models/ecs.rs):

• ECS version now emitted as ecs.version = 9.3.0.
• Expanded event.* metadata:
  • event.category (array)
  • event.type (array)
  • event.action
  • event.code
  • event.severity
  • event.module, event.dataset, event.provider
• Engine/severity fields moved to:
  • edr.rule.engine
  • edr.rule.severity
• Added richer mappings for DNS/registry/file/user context.
• Added related.ip, related.user, and edr.match.

7. Logging Hygiene and Debug Noise Reduction

Changes in src/main.rs, src/engine/handler.rs, src/engine/mod.rs,
src/normalizer/mod.rs, src/scanner/mod.rs, and src/utils/log_rate_limiter.rs:

• Added optional logging.filter (target-aware tracing_subscriber::EnvFilter expression).
  • When logging.filter is set and valid, it overrides logging.level.
  • Invalid filters now fail safe and fall back to logging.level, then info.
• Established a strict logging contract in docs:
  • trace: high-frequency internals (per-event/per-rule/per-field).
  • debug: actionable troubleshooting only.
  • info: lifecycle and detection summaries.
  • warn/error: degraded/failure conditions.
• Reclassified noisy hot-path logs from debug to trace:
  • Sigma per-event/per-rule evaluation details
  • Normalizer enrichment/schema-miss chatter
  • YARA process-start path/queue internals
• Kept actionable debug logs with structured fields (pid, file, image, error) for:
  • queue backpressure/dropped jobs
  • scan/hash failures
• Added worker-side suppression for repetitive debug failures:
  • new LogRateLimiter helper
  • rate-limited repeated YARA scan and IOC hash failures
  • emitted lines include suppressed count since last emission

Dependencies Added

• digest = "0.10"
• hex = "0.4"
• md-5 = "0.10"
• sha1 = "0.10"
• sha2 = "0.10"

Documentation Updates

Updated:

• README.md
• docs/architecture.md
• docs/configuration.md
• docs/detection.md
• docs/output.md
• docs/active-response.md
• docs/index.md

Behavior-Impact / Compatibility Notes

1. Alert schema changed for ECS alignment and richer context.
   • Example: event.category is now an array.
   • Example: rule.severity / rule.engine became edr.rule.severity / edr.rule.engine.
2. YARA default behavior changed.
   • YARA allowlist now inherits shared allowlist.paths when no module override is set.
3. Sigma load behavior changed.
   • Rules with unsupported category/product/service are skipped at load time.

Migration Checklist

1. Update SIEM parsers/ingest pipelines for ECS field changes.
2. Review shared allowlist defaults and module-specific overrides.
3. Set alerts.match_debug as needed (off, summary, full).
4. Populate rules/ioc/*.txt with your threat intel feeds.

Installation

1. Download rustinel-0.3.0-x86_64-pc-windows-msvc.zip
2. Extract to your desired location
3. Review and customize config.toml
4. Add Sigma rules to rules/sigma/
5. Add YARA rules to rules/yara/
6. Populate IOC templates in rules/ioc/ (hashes.txt, ips.txt, domains.txt, paths_regex.txt)
7. Run as Administrator: .\rustinel.exe run

Requirements

• Windows 10/11 or Server 2016+ (x64)
• Administrator privileges (required for ETW access)
• Rust runtime NOT required (statically linked binary)

What's Changed

See auto-generated release notes below.

Rustinel v0.2.0

v0.2.0 - Active Response Capability

🛡️ New Features

Active Response Engine

Rustinel now includes an optional active response system that can automatically terminate processes when critical threats are detected. This moves Rustinel from detection-only to detection+response, enabling automated containment of malicious activity.

Key Capabilities:

• Dry-Run Mode: Test response logic safely without terminating processes
• Prevention Mode: Automatically terminate malicious processes on critical alerts
• Severity-Based Filtering: Configurable minimum severity threshold (default: critical only)
• Smart Allowlisting: Dual allowlist system by image name and path prefix
• Safety First: Built-in protections for system processes, Windows directories, and Program Files
• Async Architecture: Non-blocking design with separate worker thread
• Comprehensive Logging: All response actions logged under response target

Severity Handling:

• Sigma rules use their configured level field (low/medium/high/critical)
• YARA matches are always treated as critical severity
• Configurable min_severity gate applies after severity mapping

📋 Configuration

Add to your config.toml:

[response]
enabled = false              # Master switch
prevention_enabled = false   # false=dry-run, true=terminate
min_severity = "critical"    # Gate: low, medium, high, critical
channel_capacity = 128       # Async queue size
allowlist_images = [         # Basenames or full paths
  "system",
  "smss.exe",
  "csrss.exe",
  "wininit.exe",
  "winlogon.exe",
  "services.exe",
  "lsass.exe",
  "svchost.exe",
  "explorer.exe",
  "dwm.exe",
  "fontdrvhost.exe",
  "sihost.exe",
]
allowlist_paths = [          # Path prefixes (case-insensitive)
  "C:\\Windows\\",
  "C:\\Program Files\\",
  "C:\\Program Files (x86)\\",
]

The default config.toml now ships with a core Windows image allowlist; tune or remove entries as needed for your environment.

🧪 Testing

Quick Test (YARA Demo):

# Build the demo binary
rustc .\examples\yara_demo.rs -o .\examples\yara_demo.exe

# Set config.toml: enabled = true, prevention_enabled = false
# Run Rustinel, then run the demo
.\examples\yara_demo.exe

# Check logs for dry-run message
# Enable prevention_enabled = true and re-test

Full Testing Workflow:

1. Enable dry-run mode: enabled = true, prevention_enabled = false
2. Use the YARA demo or create a critical Sigma rule for a test process
3. Run the process and observe response logs
4. Enable prevention mode when satisfied with behavior

See docs/active-response.md for detailed testing guide.

📚 Documentation

• New: docs/active-response.md - Comprehensive guide with examples
• Updated: All documentation files now include response configuration
• Enhanced: Architecture docs explain response engine integration
• Improved: Output format docs show response logging examples

⚙️ Technical Details

• Implemented in src/response/mod.rs (406 lines)
• Integrated into src/engine/handler.rs and src/main.rs
• Configuration support in src/config.rs
• Windows API integration for process termination
• Unit tests for PID parsing, allowlist logic, and process info extraction
• Zero-impact on detection performance (fully async)

🔒 Safety Features

The response engine will never terminate:

• System processes (PID 0-4)
• The agent's own process
• Processes in Windows directories
• Processes in Program Files directories
• Custom allowlisted images or paths
• Processes below the configured severity threshold

⚠️ Breaking Changes

None. Active response is disabled by default and requires explicit configuration.

📖 Migration Guide

No migration required. The feature is opt-in via configuration.

To enable dry-run mode:

1. Add [response] section to config.toml
2. Set enabled = true
3. Keep prevention_enabled = false
4. Review logs to validate behavior
5. Enable prevention when ready

🎯 Roadmap Update

Completed:

• ✅ Active response engine (optional prevention mode, terminate on critical alerts)

Next:

• YARA expansion (memory scanning + periodic scans)
• Resource governor (Windows Job Objects CPU limits)
• Self-defense hardening (DACL/ACL restrictions + anti-injection)
• Watchdog sidecar to restart service if main process dies
• ETW integrity checks to detect blinding/tampering

---

Notes

This release represents a significant capability expansion for Rustinel. The active response engine provides automated containment while maintaining safety through comprehensive allowlisting and dry-run testing.

For production deployments, we recommend:

1. Start with dry-run mode enabled
2. Monitor response logs for 24-48 hours
3. Tune allowlists as needed
4. Enable prevention mode gradually (test environment first)
5. Monitor operational logs closely during rollout

Installation

1. Download rustinel-0.2.0-x86_64-pc-windows-msvc.zip
2. Extract to your desired location
3. Review and customize config.toml
4. Add Sigma rules to rules/sigma/
5. Add YARA rules to rules/yara/
6. Run as Administrator: .\rustinel.exe run

Requirements

• Windows 10/11 or Server 2016+ (x64)
• Administrator privileges (required for ETW access)
• Rust runtime NOT required (statically linked binary)

What's Changed

See auto-generated release notes below.

Full Changelog: v0.1.2...v0.2.0

Rustinel v0.1.2

v0.1.2 - Configuration & Detection Engine Improvements

This release introduces runtime configuration flexibility and enhanced Sigma detection capabilities.

✨ New Features

CLI Configuration Overrides

• Added --log-level flag for runtime log level control

  rustinel run --log-level debug

• New configuration precedence: CLI flags → Environment variables → config.toml → Built-in defaults
• Note: Service mode does not support CLI flags; use environment variables or config.toml

Sigma Engine Enhancements

• Alternative field criteria support (OR between mapping groups in sequences)
• Configurable rule evaluation error logging (respects global log level)
• Improved modifier handling with correct pattern matcher precedence
• Better support for complex Sigma rule syntax

Build Configuration

• Added .cargo/config.toml with increased stack size (16MB) for large YARA rulesets

🐛 Bug Fixes

• Fixed registry event field mapping with proper fallback handling
• Fixed pattern matcher ordering for all and base64offset modifiers
• Registry events now correctly use both event and modify field mappings

📊 Logging Improvements

Reduced Noise at INFO Level

• Rule logic evaluation errors only visible at warn, debug, or trace levels
• YARA rule loading messages moved to debug level
• Detection alerts changed from warn → info (they're expected, not errors)
• Failed normalization moved to debug (expected for unsupported event types)

Severity Adjustments

• Alert serialization failures upgraded to error (requires attention)
• ETW trace processing errors properly logged as warnings

📚 Documentation

• Updated configuration precedence documentation across README and docs/
• Added CLI flag usage examples
• Clarified service runtime behavior with configuration sources

🔧 Internal Improvements

• Refactored selection compilation for better maintainability
• Performance optimization: NumericOp now derives Copy
• Added comprehensive unit tests for new Sigma modifier behavior

---

Full Changelog: v0.1.1...v0.1.2

Installation

1. Download rustinel-0.1.2-x86_64-pc-windows-msvc.zip
2. Extract to your desired location
3. Review and customize config.toml
4. Add Sigma rules to rules/sigma/
5. Add YARA rules to rules/yara/
6. Run as Administrator: .\rustinel.exe run

Requirements

• Windows 10/11 or Server 2016+ (x64)
• Administrator privileges (required for ETW access)
• Rust runtime NOT required (statically linked binary)

What's Changed

See auto-generated release notes below.

Full Changelog: v0.1.1...v0.1.2

Rustinel v0.1.1

Installation

1. Download rustinel-0.1.1-x86_64-pc-windows-msvc.zip
2. Extract to your desired location
3. Review and customize config.toml
4. Add Sigma rules to rules/sigma/
5. Add YARA rules to rules/yara/
6. Run as Administrator: .\rustinel.exe run

Requirements

• Windows 10/11 or Server 2016+ (x64)
• Administrator privileges (required for ETW access)
• Rust runtime NOT required (statically linked binary)

What's Changed

See auto-generated release notes below.

Full Changelog: v0.1.0...v0.1.1

Rustinel v0.1.0

Installation

1. Download rustinel-0.1.0-x86_64-pc-windows-msvc.zip
2. Extract to your desired location
3. Review and customize config.toml
4. Add Sigma rules to rules/sigma/
5. Add YARA rules to rules/yara/
6. Run as Administrator: .\rustinel.exe run

Requirements

• Windows 10/11 or Server 2016+ (x64)
• Administrator privileges (required for ETW access)
• Rust runtime NOT required (statically linked binary)

What's Changed

See auto-generated release notes below.

Full Changelog: https://github.com/Karib0u/rustinel/commits/v0.1.0