Configuration¶
Rustinel loads configuration from four sources in this order:
- CLI flags where supported
- Environment variables using the
EDR__prefix config.tomlin the current working directory- Built-in defaults
Configuration File¶
Place config.toml in the directory you launch Rustinel from, or use absolute paths throughout.
Production note:
- Windows services often run with
C:\Windows\System32as the working directory. - Linux service managers can also start in a directory that is not your install root.
- For production, prefer absolute paths for rules, logs, and alerts.
Example config.toml¶
[scanner]
sigma_enabled = true
sigma_rules_path = "rules/sigma"
yara_enabled = true
yara_rules_path = "rules/yara"
[reload]
enabled = true
debounce_ms = 2000
[logging]
level = "info"
directory = "logs"
filename = "rustinel.log"
console_output = true
[alerts]
directory = "logs"
filename = "alerts.json"
match_debug = "off"
[response]
enabled = false
prevention_enabled = false
min_severity = "critical"
channel_capacity = 128
allowlist_images = []
[network]
aggregation_enabled = true
aggregation_max_entries = 20000
aggregation_interval_buffer_size = 50
[ioc]
enabled = true
hashes_path = "rules/ioc/hashes.txt"
ips_path = "rules/ioc/ips.txt"
domains_path = "rules/ioc/domains.txt"
paths_regex_path = "rules/ioc/paths_regex.txt"
default_severity = "high"
max_file_size_mb = 50
Use Windows path prefixes on Windows and Unix path prefixes on Linux.
Platform-Aware Defaults¶
Shared Defaults¶
| Option | Default |
|---|---|
scanner.sigma_enabled |
true |
scanner.sigma_rules_path |
rules/sigma |
scanner.yara_enabled |
true |
scanner.yara_rules_path |
rules/yara |
reload.enabled |
true |
reload.debounce_ms |
2000 |
logging.level |
info |
logging.directory |
logs |
logging.filename |
rustinel.log |
logging.console_output |
true |
alerts.directory |
logs |
alerts.filename |
alerts.json |
alerts.match_debug |
off |
response.enabled |
false |
response.prevention_enabled |
false |
response.min_severity |
critical |
ioc.enabled |
true |
ioc.default_severity |
high |
ioc.max_file_size_mb |
50 |
Default Trusted Paths¶
These defaults feed allowlist.paths, which then propagate to active response, YARA allowlists, and IOC hash allowlists unless a module-specific override is set.
Windows¶
C:\Windows\C:\Program Files\C:\Program Files (x86)\
Linux¶
/usr/bin//usr/sbin//usr/lib//usr/lib64//usr/libexec//bin//sbin//lib//lib64/
Options¶
Scanner¶
| Option | Default | Description |
|---|---|---|
sigma_enabled |
true |
Enable Sigma rule evaluation |
sigma_rules_path |
rules/sigma |
Sigma rules directory |
yara_enabled |
true |
Enable YARA scanning |
yara_rules_path |
rules/yara |
YARA rules directory |
yara_allowlist_paths |
inherits allowlist.paths |
Prefix paths skipped by YARA queueing and scanning |
Reload¶
| Option | Default | Description |
|---|---|---|
enabled |
true |
Enable local file-based hot reload for Sigma, YARA, and IOC files |
debounce_ms |
2000 |
Debounce window before rebuilding detectors |
Reload notes:
- Poll cadence is
max(reload.debounce_ms, 2000ms). - Empty rebuild results are rejected to keep the last good detector set live.
Global Allowlist¶
| Option | Default | Description |
|---|---|---|
paths |
platform-specific | Shared trusted path prefixes |
Propagation behavior:
- If
response.allowlist_pathsis empty, it inheritsallowlist.paths. - If
ioc.hash_allowlist_pathsis empty, it inheritsallowlist.paths. - If
scanner.yara_allowlist_pathsis empty, it inheritsallowlist.paths.
Logging¶
| Option | Default | Description |
|---|---|---|
level |
info |
Base log level: trace, debug, info, warn, error |
filter |
null |
Optional tracing_subscriber filter expression; overrides level when valid |
directory |
logs |
Operational log directory |
filename |
rustinel.log |
Operational log filename with daily rotation |
console_output |
true |
Mirror logs to stdout. On Windows, colored output requires Windows Terminal — other terminals (cmd.exe, PowerShell host) will display plain text automatically. |
Alerts¶
| Option | Default | Description |
|---|---|---|
directory |
logs |
Alert directory |
filename |
alerts.json |
ECS NDJSON filename with daily rotation |
match_debug |
off |
off, summary, or full match metadata in alerts |
Active Response¶
| Option | Default | Description |
|---|---|---|
enabled |
false |
Enable the response engine |
prevention_enabled |
false |
If false, actions are logged but not executed |
min_severity |
critical |
Minimum severity to act on |
channel_capacity |
128 |
Queue size for response work |
allowlist_images |
[] |
Image basenames or full paths to skip |
allowlist_paths |
inherits allowlist.paths |
Module-specific trusted prefixes |
See Active Response for platform behavior and safe testing.
Network¶
| Option | Default | Description |
|---|---|---|
aggregation_enabled |
true |
Enable repeated-connection suppression |
aggregation_max_entries |
20000 |
Maximum unique connections tracked |
aggregation_interval_buffer_size |
50 |
Timing intervals retained per aggregated connection |
IOC¶
| Option | Default | Description |
|---|---|---|
enabled |
true |
Enable IOC detection |
hashes_path |
rules/ioc/hashes.txt |
Hash IOC file |
ips_path |
rules/ioc/ips.txt |
IP and CIDR IOC file |
domains_path |
rules/ioc/domains.txt |
Domain IOC file |
paths_regex_path |
rules/ioc/paths_regex.txt |
Path regex IOC file |
default_severity |
high |
Severity assigned to IOC alerts |
max_file_size_mb |
50 |
Skip hashing files larger than this limit |
hash_allowlist_paths |
inherits allowlist.paths |
Prefix paths skipped during hashing |
Environment Variables¶
The environment prefix is EDR__. Nested keys use double underscores.
PowerShell¶
$env:EDR__LOGGING__LEVEL="debug"
$env:EDR__SCANNER__SIGMA_RULES_PATH="C:\\Rustinel\\rules\\sigma"
$env:EDR__ALLOWLIST__PATHS='["C:\\Windows\\","C:\\Program Files\\"]'
.\rustinel.exe run --console
Bash¶
export EDR__LOGGING__LEVEL=debug
export EDR__SCANNER__SIGMA_RULES_PATH=/opt/rustinel/rules/sigma
export EDR__ALLOWLIST__PATHS='["/usr/bin/","/usr/sbin/"]'
sudo /opt/rustinel/rustinel run
CLI Overrides¶
The only CLI override today is log level on interactive run usage. For repeatable cross-platform deployments, prefer config.toml and EDR__... environment variables.
Practical Examples¶
Windows Service-Friendly Paths¶
[scanner]
sigma_rules_path = "C:\\Rustinel\\rules\\sigma"
yara_rules_path = "C:\\Rustinel\\rules\\yara"
[logging]
directory = "C:\\Rustinel\\logs"
[alerts]
directory = "C:\\Rustinel\\logs"