Loki-RS

April 28, 2026 · View on GitHub

Loki-RS

A rewrite of Loki in Rust. High-performance, multi-threaded YARA & IOC scanner in a single binary.

Status: Beta. Works, but still under active development.

Features

YARA scanning of files and process memory (yara-x)
IOC matching (MD5/SHA1/SHA256 hashes, filename patterns, C2 indicators)
Multi-threaded scanning with configurable thread count
Archive scanning (ZIP files)
Interactive TUI with real-time stats and controls
Remote logging via syslog (UDP/TCP) (SYSLOG/JSON)
HTML report generation with detailed findings
Configurable scoring thresholds
Smart filtering (skips /proc, /sys, mounted drives by default)
Magic header detection
JSONL output for log ingestion

Process memory scanning on macOS is best-effort and typically requires debugging entitlements or elevated privileges. Without those, Loki-RS will still scan files but will not be able to read most process memory. Use --no-procs to skip process scanning if needed.

Linux process scanning

On Linux, Loki-RS skips device-backed and kernel-special process mappings before reading /proc/<pid>/mem. This avoids known instability with some driver-managed VMAs while preserving normal anonymous, heap/stack, and regular file-backed memory scanning. If you still hit environment-specific issues, use --no-procs to disable process scanning.

Installation

Download the pre-compiled binary for your platform from the Releases Page.

# Extract
tar -xzvf loki-linux-*.tar.gz
cd loki-linux-*

# Update signatures (recommended)
./loki-util update

# Run
sudo ./loki --help

Signatures ship with the release but get stale quickly. Run loki-util update to fetch the latest YARA-Forge Core rules.

Signatures

Loki-RS uses YARA Forge as its default signature source. Loki-RS ships and updates with the Core rule set (high accuracy, low false positives, optimized for performance). If you need broader coverage, you can swap in the Extended or Full sets from YARA Forge.

IOC files in signatures/iocs/ remain supported as optional local/custom content.

Usage

# Basic scan (TUI enabled by default)
sudo ./loki

# Scan specific folder
sudo ./loki --folder /tmp

# Disable TUI, use standard command-line output
sudo ./loki --no-tui

Common Scenarios

# Scan a mounted image (skip process scanning, use all cores)
sudo ./loki --no-procs --folder ~/image1 --threads 0

# Slow and cautious scan (lower CPU limit, single thread)
sudo ./loki --cpu-limit 60 --threads 1

# Scan and send logs to remote syslog
sudo ./loki --remote syslog-host.internal:514 --remote-proto udp

Screenshots

Loki Startup

Command Line Options

Scan Target

Option	Default	Description
`-f, --folder <PATH>`	`/`	Folder to scan

Scan Control

Option	Default	Description
`--no-procs`	`false`	Skip process memory scanning
`--no-fs`	`false`	Skip filesystem scanning
`--no-archive`	`false`	Skip scanning inside archives (ZIP)
`--scan-all-drives`	`false`	Scan all drives including mounted/network/cloud
`--scan-all-files`	`false`	Scan all files regardless of extension/type

Output Options

Option	Default	Description
`-l, --log <FILE>`	auto	Plain text log file
`--no-log`	`false`	Disable plaintext log output
`-j, --jsonl <FILE>`	auto	JSONL output file
`--no-jsonl`	`false`	Disable JSONL output
`--no-html`	`false`	Disable HTML report generation
`--no-tui`	`false`	Disable TUI, use standard command-line output
`-r, --remote <HOST:PORT>`	none	Remote syslog destination
`-p, --remote-proto <PROTO>`	`udp`	Remote protocol (udp/tcp)
`--remote-format <FMT>`	`syslog`	Remote format (syslog/json)

Tuning

Option	Default	Description
`--alert-level <SCORE>`	`80`	Score threshold for ALERT
`--warning-level <SCORE>`	`60`	Score threshold for WARNING
`--notice-level <SCORE>`	`40`	Score threshold for NOTICE
`--max-reasons <NUM>`	`2`	Max match reasons to display per finding
`-m, --max-file-size <BYTES>`	`64000000`	Maximum file size to scan (64MB)
`-c, --cpu-limit <PERCENT>`	`100`	CPU utilization limit (1-100)
`--threads <NUM>`	`-2`	Number of threads (0=all, -1=all-1, -2=all-2)

Info & Debug

Option	Default	Description
`--version`	-	Show version and exit
`-d, --debug`	`false`	Show debug output
`--trace`	`false`	Show verbose trace output
`--show-access-errors`	`false`	Show file/process access errors

Excluding Files and Folders

Loki-RS provides multiple mechanisms for excluding files and folders from scans.

Built-in Automatic Exclusions

By default, Loki-RS automatically excludes:

System directories (Linux/macOS):

/proc, /dev, /sys/kernel/debug, /sys/kernel/slab, /sys/kernel/tracing, /sys/devices
/run, /var/run

Cloud storage directories (unless --scan-all-drives is used):

OneDrive, Dropbox, Google Drive, iCloud, Box, Nextcloud, pCloud, MEGA, Seafile, ownCloud, and others

Network and mounted drives (unless --scan-all-drives is used):

NFS, CIFS/SMB, SSHFS, WebDAV mounts
External media under /media, /volumes

Program directory:

Loki-RS automatically excludes its own directory to prevent scanning itself

Command-Line Exclusion Options

Option	Description
`--scan-all-drives`	Include mounted drives, network drives, and cloud storage
`--scan-all-files`	Scan all files regardless of file type/extension (by default, only relevant file types are scanned)
`-m, --max-file-size <BYTES>`	Skip files larger than this size (default: 64MB)
`--no-procs`	Skip process memory scanning entirely
`--no-fs`	Skip filesystem scanning entirely
`--no-archive`	Skip scanning inside archive files (ZIP)

Hash-Based False Positive Exclusions

You can exclude known good files by their hash. This is useful for whitelisting legitimate files that trigger false positives.

Setup:

Create a file in signatures/iocs/ with both hash and falsepositive in the filename Example: hash-falsepositive-custom.txt
Add hashes (MD5, SHA1, or SHA256) with optional descriptions:

# Format: HASH;description
d41d8cd98f00b204e9800998ecf8427e;Empty file - known good
a7f5f35426b927411fc9231b56382173;Legitimate system utility

Files matching these hashes will be silently skipped during scanning.

Filename Pattern False Positive Exclusions

When adding filename IOCs to signatures/iocs/filename-iocs.txt, you can specify a false positive exclusion regex in the third column:

# Format: REGEX;SCORE;FALSE_POSITIVE_REGEX
#
# This matches all .ps1 files, but excludes those in SysInternals directories
(?i)\\procdump(64)?\.(exe|zip);50;(?i)(SysInternals\\)

If a file matches both the main pattern AND the false positive regex, it will not be reported.

Configuration File Exclusions

The config/excludes.cfg file supports regex-based path exclusions:

# Exclude system directories
^/proc/.*
^/dev/.*
^/sys/.*

# Exclude temporary files
.*\.tmp$
.*\.temp$
.*\.swp$

# Exclude specific directories
.*node_modules.*
.*/\.git/.*

Note: Path exclusion patterns are matched against the full file path using regular expressions. Lines starting with # are comments.

Examples

# Scan but include all drives (network, cloud, mounted)
sudo ./loki --scan-all-drives

# Scan all file types, not just executables and scripts
sudo ./loki --scan-all-files

# Scan only small files (under 10MB)
sudo ./loki --max-file-size 10000000

# Skip process scanning (useful for mounted images)
sudo ./loki --no-procs --folder /mnt/image

TUI Mode

The terminal interface is enabled by default and provides real-time monitoring during scans.

sudo ./loki --folder /path/to/scan

Loki in Action

Key	Action
`q`	Quit
`p`	Pause/Resume
`s`	Skip current items
`t`	Toggle thread overlay
`+` / `-`	Adjust CPU limit
Arrow keys	Scroll logs

Loki TUI Screenshot

HTML Reports

Loki-RS automatically generates a styled HTML report after each scan. The report is created alongside the JSONL log file and provides a visual summary of all findings.

The report includes:

Scan configuration and runtime statistics
Color-coded findings grouped by severity (Alert, Warning, Notice)
File metadata (hashes, timestamps, size)
YARA rule matches with descriptions and matched strings
IOC match details with references

Loki HTML Report

The HTML report shares the same base filename as the JSONL output (e.g., loki_hostname_2025-01-08.html). To disable report generation, use --no-html.

Generating HTML Reports from JSONL Files

You can generate HTML reports from existing JSONL files using loki-util:

# Generate HTML report from a single JSONL file
./loki-util html --input scan_results.jsonl --output report.html

# Generate combined HTML report from multiple JSONL files
./loki-util html --input "*.jsonl" --combine --output combined_report.html

# Use glob patterns to match multiple files
./loki-util html --input "/path/to/scans/*.jsonl" --combine --output combined.html

Options:

--input <file|glob> - Input JSONL file or glob pattern (required)
--output <file.html> - Output HTML file (optional, defaults to input filename with .html extension)
--combine - Combine multiple JSONL files into one report (groups findings by hostname)
--title <str> - Override report title
--host <str> - Override hostname in report

The combined report mode is useful for aggregating scan results from multiple hosts or time periods into a single view, with findings grouped by source hostname.

Building from Source

git clone https://github.com/Neo23x0/Loki-RS.git
cd Loki-RS
cargo build --release
./target/release/loki-util update
sudo ./target/release/loki

Requires Rust toolchain. See docs/BUILD.md for cross-compilation.

Documentation

About

Loki RS is a side project. It’s a fast, single-binary scanner built for practical triage and experimentation, and it may change quickly as ideas get tried and removed.

Support is community-based and best-effort - no SLA, no guaranteed response times, and no promise that every edge case is handled perfectly. If you run it in production, do it with that in mind.

For corporate environments and incident response work with predictable support and a broader, well-tested feature set, Nextron Systems maintains THOR (and THOR Lite). THOR is the professional scanner with extensive artifact coverage, more modules and formats, and vendor support. THOR Lite is the free entry version with a reduced scope.

License

GNU General Public License v3.0. See LICENSE.