forked from nzymedefense/nzyme
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nzyme.conf.example
187 lines (151 loc) · 6.56 KB
/
nzyme.conf.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# Configuration reference: https://go.nzyme.org/configuration-reference
# General nzyme configuration.
general: {
role: LEADER
# The ID or name of this nzyme instance. Must be unique and contain only alphanumeric characters, underscores and dashes.
id: nzyme-node-01
# Admin password SHA256 hash. (64 characters) - generate with, for example, sha256sum on Linux: $ echo -n secretpassword | sha256sum
# You will use this password to log in to the web interface.
admin_password_hash:
# Path to postgreSQL database. Make sure to change username, password and database name. (This is described in the documentation)
database_path: "postgresql://localhost:5432/nzyme?user=nzyme&password=YOUR_PASSWORD"
# Download current list of manufacturers and enable MAC address to manufacturer lookup?
fetch_ouis: true
# Path to directory that the tracker will use to store some temporary information. (must be writable)
data_directory: /usr/share/nzyme
# We use Python to inject frames for traps.
python {
# Path to python executable. (nzyme supports both Python 3 and 2)
path: /usr/bin/python3.8
# Script directory. This must be an existing and writable directory. We'll store some generated Python scripts here.
script_directory: /tmp
# Script prefix. A prefix for the generate scripts. There is usually no reason to change this setting.
script_prefix: nzyme_
}
alerting {
# Notifications and callbacks for triggered alerts.
callbacks: [
{
type: email
enabled: false
# One of: SMTP, SMTPS or SMTP_TLS
transport_strategy: SMTP_TLS
host: smtp.example.org
port: 587
username: "your_username"
password: "your_password"
from: "nzyme <[email protected]>"
subject_prefix: "[NZYME]"
recipients: [
"Somebody <[email protected]>",
"Somebody Else <[email protected]>"
]
}
{
type: file
enabled: false
path: /var/log/nzyme/alerts.log
}
]
# Length of the training period. Do not change this if you don't know what this means.
training_period_seconds: 300
}
# Regularly check if this version of nzyme is outdated?
versionchecks: true
}
# Web interface and REST API configuration.
interfaces: {
# Make sure to set this to an IP address you can reach from your workstation.
rest_listen_uri: "http://127.0.0.1:22900/"
# This is usually the same as the `rest_listen_uri`. Take a look at the configuration documentation to learn about
# other use-cases. It will be interesting if you run behind a load balancer or NAT. (basically, it is the address
# that your web browser will use to try to connect to nzyme and it has to be reachable for it.)
http_external_uri: "http://127.0.0.1:22900/"
# Use TLS? (HTTPS) See https://go.nzyme.org/docs-https
use_tls: false
}
# List of uplinks. Sends frame meta information and alerts to log management systems like Graylog for threat hunting and
# forensics. See https://go.nzyme.org/uplinks
uplinks: []
# 802.11/Wifi adapters that are designated to read traffic.
# The more monitors you have listening on different channels, the more traffic will be picked up and the more
# traffic will be available as the basis for alerts and analysis.
# See: https://go.nzyme.org/configuration-reference
802_11_monitors: [
{
# The 802.11/WiFi adapter name. (from `ifconfig` or `ip link`)
device: wlx00c0ca971201
# WiFi interface and 802.11 channels to use. Nzyme will cycle your network adapters through these channels.
# Consider local legal requirements and regulations.
# See also: https://en.wikipedia.org/wiki/List_of_WLAN_channels
channels: [1,2,3,4,5,6,7,8,9,10,11]
# There is no way for nzyme to configure your wifi interface directly. We are using direct operating system commands to
# configure the adapter. Examples for Linux are in the documentation.
channel_hop_command: "sudo /sbin/iwconfig {interface} channel {channel}"
# Channel hop interval in seconds. Leave at default if you don't know what this is.
channel_hop_interval: 1
# Time this monitor can remain without recording any frames until it is marked as failing. Under certain conditions,
# it can be normal to not record any frames for an extended period of time. If you receive warnings and alerts for
# failed probes when there were simply no frames to record, increase this value. Default: 60
max_idle_time_seconds: 60
# Skip the automatic monitor mode configuration of this interface. Only enable this if for some reason libpcap can't
# properly configure this interface into monitor mode. In that case, you can try to set it manually instead.
skip_enable_monitor: false
}
]
# A list of all your 802.11/WiFi networks. This will be used for automatic alerting.
# It is recommended to leave this empty or on default at first start of nzyme and
# then build it using the data nzyme shows in the web interface. For example, the
# "security" and "fingerprints" strings can be copied from the web interface.
# See: https://go.nzyme.org/network-monitoring
802_11_networks: [
{
ssid: mywifinetwork
channels: [1,2,3,4,5,6,7,8,9,10,11,12,13]
security: [WPA2-PSK-CCMP]
beacon_rate: 40
bssids: [
{
address: "f0:9f:c2:dd:18:f6",
fingerprints: [ 8ba95bfb6207749c01479235017a76b15ad63c387fd0bcc74593388f81326ca0 ]
}
]
}
]
# The deauthentication monitor is used to monitor the number of recorded of deauthentication and disassociation frames.
# The global_threshold parameter is used to control when a DEAUTH_FLOOD alert is triggered.
deauth_monitor {
global_threshold: 10
}
# List of enabled 802.11/WiFi alert types. Remove or comment out (#) an alert type to mute it.
# See: https://go.nzyme.org/alerting
802_11_alerts: [
unexpected_bssid
unexpected_ssid
crypto_change
unexpected_channel
unexpected_fingerprint
beacon_rate_anomaly
multiple_signal_tracks
pwnagotchi_advertisement
bandit_contact
unknown_ssid
deauth_flood
]
# Optional: Traps to set up. See: https://go.nzyme.org/deception-and-traps
802_11_traps: []
reporting: {
email: {
# One of: SMTP, SMTPS or SMTP_TLS
transport_strategy: SMTP_TLS
host: smtp.example.org
port: 587
username: "your_username"
password: "your_password"
from: "nzyme <[email protected]>"
subject_prefix: "[NZYME]"
}
}
# Optional: A device to communicate with nzyme trackers, used to track down physical location of bandits. Please read
# more in the documentation. See: https://go.nzyme.org/bandits-and-trackers
groundstation_device: {}