forked from nzymedefense/nzyme
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nzyme.conf.example
147 lines (120 loc) · 5.33 KB
/
nzyme.conf.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# General nzyme configuration.
general: {
# In this version, only LEADER is supported. Added for future compatibility. Do not change.
role: LEADER
# The ID or name of this nzyme instance. Must be unique and contain only alphanumeric characters, underscores and dashes.
id: nzyme-node-01
# Admin password SHA256 hash. (64 characters) - generate with, for example, sha256sum on Linux: $ echo -n secretpassword | sha256sum
# You will use this password to log in to the web interface.
admin_password_hash:
# Path to postgreSQL database. Make suer to change username, password and database name. (This is described in the documentation)
database_path: "postgresql://localhost:5432/nzyme?user=nzyme&password=YOUR_PASSWORD"
# Download current list of manufacturers and enable MAC address to manufacturer lookup?
fetch_ouis: true
# Path to directory that the tracker will use to store some temporary information. (must be writable)s
data_directory: /usr/share/nzyme
# We use Python to inject frames for traps.
python {
# Path to python executable. (nzyme supports both Python 3 and 2)
path: /usr/bin/python3.8
# Script directory. This must be an existing and writable directory. We'll store some generated Python scripts here.
script_directory: /tmp
# Script prefix. A prefix for the generate scripts. There is usually no reason to change this setting.
script_prefix: nzyme_
}
alerting {
# Notifications and callbacks for triggered alerts.
callbacks: [
{
type: email
enabled: false
# One of: SMTP, SMTPS or SMTP_TLS
transport_strategy: SMTP_TLS
host: smtp.example.org
port: 587
username: "your_username"
password: "your_password"
from: "nzyme <[email protected]>"
subject_prefix: "[NZYME]"
recipients: [
"Somebody <[email protected]>",
"Somebody Else <[email protected]>"
]
}
]
# Length of the training period. Do not change this if you don't know what this means.
training_period_seconds: 300
}
# Regularly check if this version of nzyme is outdated?
versionchecks: true
}
# Web interface and REST API configuration.
interfaces: {
# Make sure to set this to an IP address you can reach from your workstation.
rest_listen_uri: "http://127.0.0.1:22900/"
# This is usually the same as the `rest_listen_uri`. Take a look at the configuration documentation to learn about
# other use-cases. It will be interesting if you run behind a load balancer or NAT. (basically, it is the address
# that your web browser will use to try to connect to nzyme and it has to be reachable for it.)
http_external_uri: "http://127.0.0.1:22900/"
# Use TLS? (HTTPS) See https://go.nzyme.org/docs-https
use_tls: false
}
# List of Graylog GELF TCP inputs. (Optional but strongly recommended to enable analytics, forensics and incident response.)
# See https://go.nzyme.org/docs-wifi-threat-hunting
graylog_uplinks: []
# 802.11/Wifi adapters that are designated to read traffic.
# The more monitors you have listening on different channels, the more traffic will be picked up and the more
# traffic will be available as the basis for alerts and analysis.
802_11_monitors: [
{
# The 802.11/WiFi adapter name. (from `ifconfig` or `ip link`)
device: wlx00c0ca971201
# WiFi interface and 802.11 channels to use. Nzyme will cycle your network adapters through these channels.
# Consider local legal requirements and regulations.
# See also: https://en.wikipedia.org/wiki/List_of_WLAN_channels
channels: [1,2,3,4,5,6,7,8,9,10,11]
# There is no way for nzyme to configure your wifi interface directly. We are using direct operating system commands to
# configure the adapter. Examples for Linux are in the documentation.
channel_hop_command: "sudo /sbin/iwconfig {interface} channel {channel}"
# Channel hop interval in seconds. Leave at default if you don't know what this is.
channel_hop_interval: 1
}
]
# A list of all your 802.11/WiFi networks. This will be used for automatic alerting.
# It is recommended to leave this empty or on default at first start of nzyme and
# then build it using the data nzyme shows in the web interface. For example, the
# "security" and "fingerprints" strings can be copied from the web interface.
802_11_networks: [
{
ssid: mywifinetwork
channels: [1,2,3,4,5,6,7,8,9,10,11,12,13]
security: [WPA2-PSK-CCMP]
beacon_rate: 40
bssids: [
{
address: "f0:9f:c2:dd:18:f6",
expected_signal_strength: {from: -80, to: -90}
fingerprints: [ 8ba95bfb6207749c01479235017a76b15ad63c387fd0bcc74593388f81326ca0 ]
}
]
}
]
# List of enabled 802.11/WiFi alert types. Remove or comment out (#) an alert type to mute it. TODO ADD DOCS LINK
802_11_alerts: [
unexpected_bssid
unexpected_ssid
crypto_change
unexpected_channel
known_bandit_fingerprint
unexpected_fingerprint
signal_anomaly
beacon_rate_anomaly
multiple_signal_tracks
pwnagotchi_advertisement
bandit_contact
]
# Optional: Traps to set up. See: https://go.nzyme.org/deception-and-traps
802_11_traps: []
# Optional: A tracker device to track down physical location of bandits. Please read more in the documentation.
# Please consult the nzyme documentation to find out supported tracker devices. TODO ADD DOCS LINK
tracker_device {}