Active Response¶
Rustinel includes an optional active response engine that can terminate processes when a critical alert is raised. It is disabled by default and can run in dry-run mode to validate behavior safely.
Modes¶
The response engine has three states:
- Disabled: no actions are queued.
- Dry-run: actions are logged but no process is terminated.
- Prevention: eligible processes are terminated.
Severity Handling¶
- Sigma: severity comes from the rule
level(low,medium,high,critical). - YARA: all matches are treated as
critical.
The min_severity gate applies after this mapping.
Unknown min_severity values default to critical and a warning is logged.
Allowlists¶
Allowlists prevent termination of trusted processes:
allowlist_images: basenames (e.g.cmd.exe) or full paths.allowlist_paths: path prefixes (case-insensitive). If unset, inherits fromallowlist.paths.
Shared default trusted path prefixes are configured in [allowlist].paths:
C:\Windows\, C:\Program Files\, C:\Program Files (x86)\.
Configuration¶
[allowlist]
paths = [
"C:\\Windows\\",
"C:\\Program Files\\",
"C:\\Program Files (x86)\\",
]
[response]
enabled = true
prevention_enabled = false
min_severity = "critical"
channel_capacity = 128
allowlist_images = []
# Optional module-specific override:
# allowlist_paths = ["C:\\CustomTrusted\\"]
Logging¶
Actions are logged under the response target in the operational log:
response: Active response would terminate process pid=4242 image="C:\Temp\evil.exe" dry_run=true
response: Active response terminated process pid=4242 image="C:\Temp\evil.exe"
response: Active response skipped: allowlisted pid=4321 image="C:\Windows\System32\cmd.exe"
Safety Checks¶
The response engine will skip termination if:
- PID is missing
- PID is
0..4(system processes) - PID is the agent’s own process
- Image/path is allowlisted
Quick Test¶
Option 1: YARA Demo (Recommended)¶
The built-in YARA demo provides the easiest way to test active response:
-
Build the demo binary:
-
Enable response in
config.toml: -
Run Rustinel and the demo:
-
Check logs for dry-run message:
-
Enable prevention and re-test:
The demo process should be terminated within seconds of starting.
Option 2: Custom Sigma Rule¶
-
Copy a safe process to a non-allowlisted path:
-
Add a critical Sigma rule:
-
Run the process:
With prevention_enabled = false, it will log the action.
With prevention_enabled = true, the process should be terminated quickly.