Skip to content

rules.md

Latest commit

 

History

History
101 lines (77 loc) · 2.38 KB

rules.md

File metadata and controls

101 lines (77 loc) · 2.38 KB

Detection Rules

Sentinel uses TOML-based detection rules evaluated in a sliding time window. Rules are loaded from the file specified by rules_file in sentinel.toml, or via SIGHUP hot reload.

Rule Format

[[rules]]
name = "brute_force"
description = "Multiple failed logins from same source"
threshold = 10
window_seconds = 300
group_by = "src_ip"
severity = "high"
mitre = ["T1110"]

[rules.condition]
category = "auth"
action = "login_failed"
outcome = "failure"

Fields

Field Required Description
name yes Unique rule identifier
description no Human-readable description
threshold no Number of matching events to trigger (default: 1)
window_seconds no Time window in seconds (default: 300)
group_by no Group events by field: src_ip, dst_ip, user, hostname, action
severity no Alert severity: info, low, medium, high, critical (default: medium)
mitre no List of MITRE ATT&CK technique IDs

Condition Fields

All condition fields are optional. An event must match all specified fields.

Field Values
category network, auth, malware, recon, execution, exfiltration
action Any action string (e.g., login_failed, file_download)
outcome success, failure, unknown
source suricata, cowrie, syslog, network_beacon, windows_event_log, cef, custom

Examples

Immediate alert on honeypot file download:

[[rules]]
name = "malware_download"
description = "File download detected on honeypot"
threshold = 1
window_seconds = 1
severity = "critical"
mitre = ["T1105"]

[rules.condition]
source = "cowrie"
category = "malware"
action = "file_download"

Detect port scanning (50 network events from same source in 60 seconds):

[[rules]]
name = "port_scan"
description = "Rapid connection attempts from same source"
threshold = 50
window_seconds = 60
group_by = "src_ip"
severity = "medium"
mitre = ["T1046"]

[rules.condition]
category = "network"

Testing Rules

Test rules against sample events without running the full pipeline:

sentinel rules test rules.toml sample_events.jsonl

Hot Reload

On Linux, send SIGHUP to reload rules without restarting:

kill -HUP $(pidof sentinel)

Or with systemd:

systemctl reload sentinel