Loki-RS

A rewrite of Loki in Rust. High-performance, multi-threaded YARA & IOC scanner in a single binary.

Status: Beta. Works, but still under active development.

Features

• YARA scanning of files and process memory (yara-x)
• IOC matching (MD5/SHA1/SHA256 hashes, filename patterns, C2 indicators)
• Multi-threaded scanning with configurable thread count
• Archive scanning (ZIP files)
• Interactive TUI with real-time stats and controls
• Remote logging via syslog (UDP/TCP) (SYSLOG/JSON)
• HTML report generation with detailed findings
• Configurable scoring thresholds
• Smart filtering (skips /proc, /sys, mounted drives by default)
• Magic header detection
• JSONL output for log ingestion

macOS process scanning

Process memory scanning on macOS is best-effort and typically requires debugging entitlements or elevated privileges. Without those, Loki-RS will still scan files but will not be able to read most process memory. Use --no-procs to skip process scanning if needed.

Installation

Download the pre-compiled binary for your platform from the Releases Page.

# Extract
tar -xzvf loki-linux-*.tar.gz
cd loki-linux-*

# Update signatures (recommended)
./loki-util update

# Run
sudo ./loki --help

Signatures ship with the release but get stale quickly. Run loki-util update to fetch the latest IOCs and YARA rules.

Signatures

Loki-RS uses detection content from two sources:

IOCs are pulled from signature-base, a collection of hash, filename, and C2 indicators maintained alongside Loki.

YARA rules come from YARA Forge, which aggregates and quality-checks rules from public repositories. Loki-RS uses the Core rule set - high accuracy, low false positives, optimized for performance. If you need broader coverage, you can swap in the Extended or Full sets from YARA Forge.

Usage

# Basic scan (TUI enabled by default)
sudo ./loki

# Scan specific folder
sudo ./loki --folder /tmp

# Disable TUI, use standard command-line output
sudo ./loki --no-tui

Common Scenarios

# Scan a mounted image (skip process scanning, use all cores)
sudo ./loki --no-procs --folder ~/image1 --threads 0

# Slow and cautious scan (lower CPU limit, single thread)
sudo ./loki --cpu-limit 60 --threads 1

# Scan and send logs to remote syslog
sudo ./loki --remote syslog-host.internal:514 --remote-proto udp

Screenshots

Command Line Options

Scan Target

Option	Default	Description
-f, --folder <PATH>	/	Folder to scan

Scan Control

Option	Default	Description
--no-procs	false	Skip process memory scanning
--no-fs	false	Skip filesystem scanning
--no-archive	false	Skip scanning inside archives (ZIP)
--scan-all-drives	false	Scan all drives including mounted/network/cloud
--scan-all-files	false	Scan all files regardless of extension/type

Output Options

Option	Default	Description
-l, --log <FILE>	auto	Plain text log file
--no-log	false	Disable plaintext log output
-j, --jsonl <FILE>	auto	JSONL output file
--no-jsonl	false	Disable JSONL output
--no-html	false	Disable HTML report generation
--no-tui	false	Disable TUI, use standard command-line output
-r, --remote <HOST:PORT>	none	Remote syslog destination
-p, --remote-proto <PROTO>	udp	Remote protocol (udp/tcp)
--remote-format <FMT>	syslog	Remote format (syslog/json)

Tuning

Option	Default	Description
--alert-level <SCORE>	80	Score threshold for ALERT
--warning-level <SCORE>	60	Score threshold for WARNING
--notice-level <SCORE>	40	Score threshold for NOTICE
--max-reasons <NUM>	2	Max match reasons to display per finding
-m, --max-file-size <BYTES>	64000000	Maximum file size to scan (64MB)
-c, --cpu-limit <PERCENT>	100	CPU utilization limit (1-100)
--threads <NUM>	-2	Number of threads (0=all, -1=all-1, -2=all-2)

Info & Debug

Option	Default	Description
--version	-	Show version and exit
-d, --debug	false	Show debug output
--trace	false	Show verbose trace output
--show-access-errors	false	Show file/process access errors

Excluding Files and Folders

Loki-RS provides multiple mechanisms for excluding files and folders from scans.

Built-in Automatic Exclusions

By default, Loki-RS automatically excludes:

System directories (Linux/macOS):

• /proc, /dev, /sys/kernel/debug, /sys/kernel/slab, /sys/kernel/tracing, /sys/devices
• /run, /var/run

Cloud storage directories (unless --scan-all-drives is used):

• OneDrive, Dropbox, Google Drive, iCloud, Box, Nextcloud, pCloud, MEGA, Seafile, ownCloud, and others

Network and mounted drives (unless --scan-all-drives is used):

• NFS, CIFS/SMB, SSHFS, WebDAV mounts
• External media under /media, /volumes

Program directory:

• Loki-RS automatically excludes its own directory to prevent scanning itself

Command-Line Exclusion Options

Option	Description
--scan-all-drives	Include mounted drives, network drives, and cloud storage
--scan-all-files	Scan all files regardless of file type/extension (by default, only relevant file types are scanned)
-m, --max-file-size <BYTES>	Skip files larger than this size (default: 64MB)
--no-procs	Skip process memory scanning entirely
--no-fs	Skip filesystem scanning entirely
--no-archive	Skip scanning inside archive files (ZIP)

Hash-Based False Positive Exclusions

You can exclude known good files by their hash. This is useful for whitelisting legitimate files that trigger false positives.

Setup:

1. Create a file in signatures/iocs/ with both hash and falsepositive in the filename Example: hash-falsepositive-custom.txt

2. Add hashes (MD5, SHA1, or SHA256) with optional descriptions:

# Format: HASH;description
d41d8cd98f00b204e9800998ecf8427e;Empty file - known good
a7f5f35426b927411fc9231b56382173;Legitimate system utility

Files matching these hashes will be silently skipped during scanning.

Filename Pattern False Positive Exclusions

When adding filename IOCs to signatures/iocs/filename-iocs.txt, you can specify a false positive exclusion regex in the third column:

# Format: REGEX;SCORE;FALSE_POSITIVE_REGEX
#
# This matches all .ps1 files, but excludes those in SysInternals directories
(?i)\\procdump(64)?\.(exe|zip);50;(?i)(SysInternals\\)

If a file matches both the main pattern AND the false positive regex, it will not be reported.

Configuration File Exclusions

The config/excludes.cfg file supports regex-based path exclusions:

# Exclude system directories
^/proc/.*
^/dev/.*
^/sys/.*

# Exclude temporary files
.*\.tmp$
.*\.temp$
.*\.swp$

# Exclude specific directories
.*node_modules.*
.*/\.git/.*

Note: Path exclusion patterns are matched against the full file path using regular expressions. Lines starting with # are comments.

Examples

# Scan but include all drives (network, cloud, mounted)
sudo ./loki --scan-all-drives

# Scan all file types, not just executables and scripts
sudo ./loki --scan-all-files

# Scan only small files (under 10MB)
sudo ./loki --max-file-size 10000000

# Skip process scanning (useful for mounted images)
sudo ./loki --no-procs --folder /mnt/image

TUI Mode

The terminal interface is enabled by default and provides real-time monitoring during scans.

sudo ./loki --folder /path/to/scan

Key	Action
q	Quit
p	Pause/Resume
s	Skip current items
t	Toggle thread overlay
+ / -	Adjust CPU limit
Arrow keys	Scroll logs

HTML Reports

Loki-RS automatically generates a styled HTML report after each scan. The report is created alongside the JSONL log file and provides a visual summary of all findings.

The report includes:

• Scan configuration and runtime statistics
• Color-coded findings grouped by severity (Alert, Warning, Notice)
• File metadata (hashes, timestamps, size)
• YARA rule matches with descriptions and matched strings
• IOC match details with references

The HTML report shares the same base filename as the JSONL output (e.g., loki_hostname_2025-01-08.html). To disable report generation, use --no-html.

Generating HTML Reports from JSONL Files

You can generate HTML reports from existing JSONL files using loki-util:

# Generate HTML report from a single JSONL file
./loki-util html --input scan_results.jsonl --output report.html

# Generate combined HTML report from multiple JSONL files
./loki-util html --input "*.jsonl" --combine --output combined_report.html

# Use glob patterns to match multiple files
./loki-util html --input "/path/to/scans/*.jsonl" --combine --output combined.html

Options:

• --input <file|glob> - Input JSONL file or glob pattern (required)
• --output <file.html> - Output HTML file (optional, defaults to input filename with .html extension)
• --combine - Combine multiple JSONL files into one report (groups findings by hostname)
• --title <str> - Override report title
• --host <str> - Override hostname in report

The combined report mode is useful for aggregating scan results from multiple hosts or time periods into a single view, with findings grouped by source hostname.

Building from Source

git clone https://github.com/Neo23x0/Loki-RS.git
cd Loki-RS
cargo build --release
./target/release/loki-util update
sudo ./target/release/loki

Requires Rust toolchain. See docs/BUILD.md for cross-compilation.

Documentation

• Build Guide
• Score Calculation
• Parity Matrix
• Excluding Files and Folders

About

Loki RS is a side project. It’s a fast, single-binary scanner built for practical triage and experimentation, and it may change quickly as ideas get tried and removed.

Support is community-based and best-effort - no SLA, no guaranteed response times, and no promise that every edge case is handled perfectly. If you run it in production, do it with that in mind.

For corporate environments and incident response work with predictable support and a broader, well-tested feature set, Nextron Systems maintains THOR (and THOR Lite). THOR is the professional scanner with extensive artifact coverage, more modules and formats, and vendor support. THOR Lite is the free entry version with a reduced scope.

License

GNU General Public License v3.0. See LICENSE.

Copyright (c) 2025 Florian Roth