31 repositorios
Frameworks for defining custom patterns and validation logic to identify specific types of sensitive data.
Distinguishing note: Focuses on user-defined detection rules rather than pre-built detection patterns.
Explore 31 awesome GitHub repositories matching security & cryptography · Custom Detection Rules. Refine with filters or upvote what's useful.
TruffleHog is a secret scanning tool designed to identify leaked credentials and API keys across version control systems, cloud storage, and filesystems. It functions as a git secret detector that enumerates hidden commits and a cloud storage security auditor for inspecting container images and storage buckets. The project is distinguished by a credential verification engine that tests discovered secrets against service APIs to confirm they are active, which eliminates false positive alerts. It further analyzes these verified credentials to determine the specific access levels and resources t
Allows users to create tailored detection rules using regular expressions and entropy filters for proprietary credential formats.
Trufflehog is a security tool designed to continuously monitor code repositories and cloud environments to detect, verify, and remediate exposed sensitive credentials and API keys. It functions as a comprehensive secret scanning engine that integrates directly into deployment pipelines and version control systems to intercept sensitive data before it is committed or pushed. By utilizing read-only operations and volatile memory processing, the system ensures that discovered credentials are never stored persistently, maintaining strict data privacy throughout the scanning lifecycle. The platfor
Creates specific patterns and validation checks to identify unique types of sensitive data tailored to organizational security requirements.
Casbin is an authorization library that provides a model-based engine for enforcing access control across diverse application environments. It decouples authorization logic from application code by using a configuration-driven approach, allowing developers to define access rules and evaluation logic independently. The system supports a wide range of access control models, including role-based, attribute-based, and relationship-based patterns, which are evaluated at runtime to determine if a subject is permitted to perform an action on a resource. The project distinguishes itself through a hig
Registers custom logic to evaluate complex relationships between subjects, objects, or domains, allowing a single policy rule to cover multiple resource identifiers.
Dyad is a local, artificial intelligence-powered development environment designed to manage, edit, and scaffold full-stack software projects. It functions as an automated codebase manager and code editor that leverages language models to execute programming tasks, maintain project context, and apply targeted modifications directly to source files on a user's machine. The platform distinguishes itself through a model-agnostic architecture that allows for flexible integration with various language model runtimes. It provides specialized operational modes to optimize development speed and effici
Allows definition of project-specific security policies in configuration files to customize automated vulnerability scanning.
Fail2ban is an intrusion prevention system that monitors system log files to detect malicious activity and automatically enforce security policies. By parsing log data in real time, the tool identifies patterns of unauthorized access or repeated authentication failures and responds by dynamically updating network access control lists to restrict offending sources. The software functions as a firewall automation tool that maintains stateful tracking of suspicious behavior across various network services. It utilizes a regex-driven pattern matching engine to identify specific attack signatures,
Allows administrators to define custom regular expression patterns to identify and respond to specific attack signatures.
Git-secrets is a security utility designed to prevent the accidental exposure of sensitive credentials by integrating automated scanning directly into the version control commit lifecycle. It functions as a commit scanner that evaluates staged files and commit messages against defined security policies before changes are finalized in a repository. The tool utilizes regular expression pattern matching to identify potential secrets and supports the registration of custom patterns to address specific organizational security requirements. To manage operational friction, it includes mechanisms for
Supports registering custom regular expressions to identify and block specific types of sensitive data from being committed.
CrowdSec is a collaborative, distributed security engine designed for threat detection and infrastructure protection. It functions as an intrusion detection system that parses logs and network traffic to identify malicious patterns, utilizing a bucket-based threshold detection model to aggregate events and trigger alerts. The platform is built on a modular architecture that includes a centralized local API server for managing security signals and a relational database for persistent storage of remediation decisions. What distinguishes the project is its decoupled enforcement model, which offl
Constructs custom pattern-matching logic to inspect HTTP requests for malicious payloads.
Kubescape is a Kubernetes security posture management platform designed to scan clusters, manifests, and images for misconfigurations, vulnerabilities, and compliance risks. It functions as a comprehensive security suite incorporating a compliance scanner, a container image vulnerability scanner, an admission controller for policy enforcement, and a runtime security monitor. The platform distinguishes itself through runtime-aware vulnerability filtering, which maps libraries loaded in memory to determine if vulnerabilities are actually reachable. It also integrates with AI assistants via a Mo
Provides a framework for defining custom security rules using an expression language to trigger alerts.
SmartDNS is a local recursive DNS resolver and server that manages granular query rules, dual-stack networking, and encrypted gateway proxying. It functions as a DNS traffic filter and DNS64 translator, allowing IPv6-only clients to communicate with IPv4 servers. The project distinguishes itself through parallel upstream querying, which sends requests to multiple servers simultaneously to return the response with the lowest network latency. It supports DNS server virtualization, enabling the operation of multiple independent server instances on different ports, each with its own configuration
Applies distinct resolution and filtering policies based on the MAC or IP address of the requester.
BunkerWeb is a containerized suite of infrastructure tools that functions as a cloud-native web application firewall and Nginx reverse proxy. It provides a security layer for web applications, combining traffic routing with automated SSL certificate management and a web-based security dashboard for monitoring and configuration. The project distinguishes itself through its deep integration with container orchestrators, serving as a Kubernetes ingress controller that automates security settings and service discovery via container labels. It features a plugin-based extension model and a manageme
Allows injection of custom server configurations to handle complex use cases or false positives.
Sigma is a generic SIEM signature format and log event pattern standard used to describe malicious activity. It provides a vendor-neutral system for defining security event patterns in YAML, ensuring that detection logic remains portable across different monitoring platforms. The project maintains a curated library of peer-reviewed detection rules that identify threats and compliance violations. This standardized approach allows for the exchange of threat hunting logic and the translation of generic signatures into specific queries for various security information and event management systems
Describes log events using a standardized markup format to identify threats across diverse monitoring systems.
Detect-It-Easy is a binary file identifier and analysis toolkit designed to determine file formats, compilers, and packers. It functions as a binary file identifier that utilizes signature matching and heuristic analysis to identify executable and archive formats. The project includes a custom file signature engine and a scriptable rule system for defining and applying detection logic to identify specific binary patterns. It features specialized detectors for Android packages, such as APK and DEX files, and a malware packer detector to identify protections, obfuscators, and virus families. T
Implements a domain-specific language allowing users to define custom detection logic for binary pattern matching.
ua-parser-js is a JavaScript library used to extract browser, operating system, and device information from raw user agent strings and client hints. It functions as a cross-platform tool that runs in both web browsers and Node.js server environments to identify web visitors. The library integrates modern HTTP client hint headers to retrieve hardware and browser details with higher accuracy than standard string parsing. It also includes a specialized detector to identify automated AI agents, web crawlers, and bots to distinguish human traffic from automated scripts. The project covers hardwar
Provides a mechanism to extend detection capabilities by adding custom regular expressions for browser and bot identification.
YARA is a pattern matching engine and binary analysis tool used to identify and classify malware samples. It functions as a malware research framework that allows for the definition of file descriptions and detection rules to find indicators of compromise within binaries. The system enables the creation of custom detection rules using strings, wildcards, and regular expressions. These rules use boolean logic to match textual or binary patterns, allowing for the classification of files into specific malware families and the automation of threat intelligence. The engine utilizes Aho-Corasick s
Enables the creation of custom detection rules using strings, wildcards, and regular expressions.
CodeQL is a semantic code analysis engine and vulnerability scanning tool that treats source code as data. It utilizes a static analysis query language to define complex patterns and security vulnerabilities within a code graph database. The system represents source code as a relational database, enabling the execution of structural queries and data flow analysis. This approach allows for the detection of security flaws and coding errors across large-scale repositories. The tool provides capabilities for automated code auditing, static analysis security testing, and custom vulnerability dete
Allows users to define custom detection rules to find tailored bug patterns within a codebase.
Falco is an eBPF runtime security monitor and cloud native detection engine that identifies abnormal behavior and security threats across hosts and containers. It functions as a Linux kernel event auditor, capturing system calls and kernel events in real-time to detect malicious activity. The system distinguishes itself through a rule-based threat detection model that evaluates system activity against a library of community-maintained rules and custom security definitions. It enriches raw kernel events with container and Kubernetes metadata to provide observability into isolated environments
Allows the adjustment of existing security lists, macros, and rules through appending values or replacing configurations.
Blocky is a stateless DNS proxy that functions as a network-wide ad-blocker and content filter. It operates as a single binary or Docker container with no database or persistent state, accepting DNS queries over UDP, TCP, HTTPS, TLS, QUIC, and HTTP/3 through a unified plugin-based query pipeline. The core of the system is a client-group policy engine that assigns devices to named groups and applies per-group blocklists, allowlists, and upstream resolvers, with all configuration changes applied through hot-reloading without requiring a restart. The project distinguishes itself through its modu
Applies distinct allow and deny lists to different client groups such as kids or smart home devices.
pycorrector is an open-source toolkit for detecting and correcting spelling and grammar errors in Chinese text. It combines multiple correction approaches, including rule-based methods using Kenlm n-gram language models and confusion sets, as well as deep learning correctors built on BERT, GPT, and T5 models. The toolkit also provides a command-line interface for batch processing Chinese text files with configurable detection and output options. The project distinguishes itself by offering a range of correction strategies that can be mixed and matched. Rule-based correction uses character-lev
Adjusts the detection threshold to control how aggressively potential errors are flagged during correction.
Provides a Python API that lets developers write and integrate their own vulnerability detection rules.
capa is a binary capability scanner that identifies high-level behaviors and actions an executable can perform, such as network communication or file manipulation. It functions as a malware behavior analysis tool and a MITRE ATT&CK mapping framework, scanning PE, ELF, .NET, and shellcode files through both static analysis and dynamic sandbox report processing. The tool distinguishes itself through a YAML-based detection rule engine that defines detection logic in human-readable files, with conditions expressed as feature combinations and logical operators. It integrates with IDA Pro, Ghidra,
Identifies packed programs and warns users when obfuscation may cause misleading analysis results.