# [Server]

# Listen address of (reporting) HTTP server
HTTP_ADDRESS 0.0.0.0

# Listen port of (reporting) HTTP server
HTTP_PORT 8338

# Use SSL/TLS
USE_SSL false

# SSL/TLS (private/cert) PEM file (e.g. openssl req -new -x509 -keyout server.pem -out server.pem -days 1023 -nodes)
#SSL_PEM misc/server.pem

# User entries (username:sha256(password):UID:filter_netmask(s))
# Note(s): sha256(password) can be generated on Linux with: echo -n 'password' | sha256sum | cut -d " " -f 1
#          UID >= 1000 have only rights to display results
#          filter_netmask(s) is/are used to filter results
USERS
    admin:9ab3cd9d67bf49d01f6a2e33d0bd9bc804ddbe6ce1ff5d219c42624851db5dbc:0:0.0.0.0/0                        # changeme!

# Listen address of (log collecting) UDP server
UDP_ADDRESS 0.0.0.0

# Listen port of (log collecting) UDP server
UDP_PORT 8337

# Should server do the trail updates too (to support UPDATE_SERVER)
USE_SERVER_UPDATE_TRAILS false

# [Sensor]

# Number of processes
PROCESS_COUNT $CPU_CORES

# Disable setting of CPU affinity (with schedtool) on Linux machines (e.g. because of load issues with other processes)
DISABLE_CPU_AFFINITY false

# Use feeds (too) in trail updates
USE_FEED_UPDATES true

# Update trails after every given period (seconds)
UPDATE_PERIOD 86400

# Location of directory with custom trails (*.txt) files
CUSTOM_TRAILS_DIR ./trails/custom

# (Max.) size of multiprocessing network capture ring buffer (in bytes or percentage of total physical memory) used by sensor (e.g. 512MB)
CAPTURE_BUFFER 10%

# Interface used for monitoring (e.g. eth0, eth1)
MONITOR_INTERFACE any

# Network capture filter (e.g. ip)
# Note(s): more info about filters can be found at: https://danielmiessler.com/study/tcpdump/
#CAPTURE_FILTER ip or ip6
CAPTURE_FILTER udp or icmp or (tcp and (tcp[tcpflags] == tcp-syn or port 80 or port 1080 or port 3128 or port 8000 or port 8080 or port 8118))

# Sensor name to appear in produced logs
SENSOR_NAME $HOSTNAME

# Remote address to send log entries
LOG_SERVER 127.0.0.1:8337

# Remote address to send syslog entries
#SYSLOG_SERVER 192.168.2.107:514

# Use only (!) in cases when LOG_SERVER should be used for log storage
DISABLE_LOCAL_LOG_STORAGE true

# Remote address for pulling (latest) trail definitions (e.g. http://192.168.2.107:8338/trails)
#UPDATE_SERVER http://192.168.2.107:8338/trails

# Use heuristic methods
USE_HEURISTICS true

# Capture HTTP requests with missing Host header (introducing potential false positives)
CHECK_MISSING_HOST false

# Check values in Host header (along with standard non-HTTP checks) for malicious DNS trails (introducing greater number of events)
CHECK_HOST_DOMAINS false

# Location of file with whitelisted entries (i.e. IP addresses, domain names, etc.) (note: take a look into 'misc/whitelist.txt')
#USER_WHITELIST

# [All]

# Show debug messages (in console output)
SHOW_DEBUG false

# Directory used for log storage
LOG_DIR /var/log/maltrail

# HTTP(s) proxy address
#PROXY_ADDRESS http://192.168.5.101:8118