Search Rules

Find specific security detections

[[ total_rules_liste ]] results found
open-source · community-driven

Why use
Rulezet?

Detection rules are the foundation of any security system. Rulezet gives you one place to share, improve, and trust them — together.

YARA Sigma Suricata Zeek Wazuh NSE CRS Nova
Explore rules Create an account
8 Formats
Open source
Community
detect_malware.yar
rule DetectMimikatz { meta: author = "community" score = 95 votes = 142 strings: $s1 = "sekurlsa" condition: $s1 }
A detection rule written alone is only as strong as the person who wrote it. A rule reviewed by a community is battle-tested. Rulezet brings researchers, analysts, and engineers together so every rule gets better — faster.

Foundations

What is a detection rule?

A detection rule is a piece of logic that describes a threat, an attack pattern, or a suspicious behaviour — so that security tools can automatically identify it in logs, files, or network traffic.

A precise pattern

Rules describe exactly what to look for — a string in a binary, a sequence of syscalls, a network signature, or a log pattern — without ambiguity.

An automated response

Once deployed, rules run continuously. When a match is found, your SIEM, EDR, or IDS fires an alert — no human needs to watch the logs manually.

A reusable asset

A well-written rule can be shared across teams, organisations, and tools. One researcher's insight becomes everyone's defence.

Supported formats on Rulezet

Each format targets a specific tool or use case. Rulezet supports all of them in one place.

YARA

Pattern-matching for files and memory. The standard for malware hunting and forensics.

Sigma

Generic log detection rules, translatable to Splunk, Elastic, QRadar and more.

Suricata

Network intrusion detection. Inspects traffic in real time on your perimeter.

Zeek

Network analysis framework. Generates rich structured logs for deep traffic inspection.

Wazuh

Host-based intrusion detection. Monitors endpoints, files, and system events.

NSE

Nmap Scripting Engine scripts for active reconnaissance and vulnerability scanning.

CRS

OWASP Core Rule Set for web application firewalls. Protects against OWASP Top 10.

Nova

Prompt-injection detection rules for LLM-based systems and AI pipelines.

Who is it for?

Made for everyone in security

From seasoned researchers to curious beginners — Rulezet has a place for you.

Security researcher
You build detection logic

Publish your rules, collect community feedback, track improvements over time, and gain visibility for your work.

SOC analyst
You respond to threats

Find reliable, community-validated rules. Import what works and adapt it to your environment in minutes.

Threat intel engineer
You run rule pipelines

Organize rules into bundles, version them, export in any format, and keep your detection stack in sync.

Student / beginner
You’re learning

Browse real rules written by experts. Comment, ask questions, and propose edits — the community is open to everyone.

Features

Everything in one place

No more scattered files, no more guessing which version is correct.

Create & import rules

Write rules directly or import from files. All 8 formats supported out of the box.

Vote & validate

Community voting surfaces the most reliable rules. Bad rules sink, great ones rise.

Propose edits with diff

Suggest improvements with visual diffs — like a pull request, but for detection rules.
Bundle & export

Group rules into bundles and export them in any supported format in one click.
Search & tag

Find rules by format, tag, author, or keyword — search is instant and precise.
REST API

Integrate Rulezet into your own pipelines via the full X-API-KEY authenticated API.
Comments & discussion

Every rule has a discussion thread. Ask, answer, and improve together.
Gamification

Earn points and badges for contributions. The more you give, the more you gain.
Roles & permissions

Fine-grained access control so teams can collaborate safely at scale.
Rulezet is fully open source

Read the code, contribute new rule formats, and run your own instance. No vendor lock-in, no black box, no hidden telemetry. Built by the community, for the community.

View on GitHub Join the community