ak47 — format of ak47 component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the ak47 component configuration.
Repeatable sections/items are marked by
the '*
' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in ak47 configuration directives:
ip-version
(see common(5))osi4-proto
(see common(5))listen-on-sock
(see listen-on(5))Configuration of ak47 library component consists of following prototypes:
* watchdog name
{ ... }
ak47 { ... }
watchdog
name
{
id ... ;
file ... ;
* pattern ... ;
* threshold ... ;
lifetime ... ;
}
Watching patterns in files.
Watchdog identification must be specified.
At least one pattern must be specified.
id
key
;Watchdog Identification.
key
(type: str
)Source ID (both flag in central DB and table name in local DB).
file
path
;File being monitored.
path
(type: str
)pattern
pat
;Pattern being searched for.
pat
(type: regexp
)Searched pattern; IP adress position should be marked by parenthesis.
threshold
count
sec
;Thresholds for watchdog failures.
If given number of attempts is found within given time period in the file, the client is added to the blacklist.
count
(type: uint8
)sec
(type: uint32
)Maximum COUNT value is 10..
lifetime
[sec
];Host record lifetime.
Hosts not seen within this period are removed from the DB.
sec
(type: uint32
, optional, default: 86400)[End of section watchdog
description.]
ak47
{
upload ... ;
download ... ;
autonomous-mode ... ;
lifetime ... ;
cleanup-time ... ;
whitelist ... ;
max-entries ... ;
save-delay ... ;
honeypot { ... }
* watchdog name
{ ... }
}
Adaptive Kernun IDS/IPS Configuration.
DOWNLOAD and AUTONOMOUS-MODE are mutually exclusive.
upload
[freq
];Attributes for uploading IDS database to central server.
freq
(type: uint32
, optional, default: 15m)Default upload frequence in seconds
download
[freq
[dead
]];Attributes for downloading IDS database from central server.
freq
(type: uint32
, optional, default: 15m)Default download frequence in seconds
dead
(type: uint32
, optional, default: 15d)Lifetime of IPS DB in case of server connectivity loss
autonomous-mode
[freq
];Attributes for autonomous-mode of IPS management.
freq
(type: uint32
, optional, default: 1m)Frequence of IPS database refresh from IDS data
lifetime
[sec
];Blacklist record lifetime.
Hosts not seen within this period are removed from the DB.
sec
(type: uint32
, optional, default: 86400)cleanup-time
[hhmm
];Time of day when the database cleanup is done.
At time given in this item, records for hosts not seen within particular LIFETIME period are removed.
hhmm
(type: time
, optional, default: 303)whitelist
[list
];Whitelist addresses.
list
(type: host-set
, optional, default: {})max-entries
[size
[reserve
]];Maximum number of AK47 table entries hold in PF.
size
(type: uint32
, optional, default: 200000)Maximum table size.
reserve
(type: uint32
, optional, default: 0)Obsoleted.
save-delay
[sec
];SQL transaction maximum duration.
sec
(type: uint32
, optional, default: 1)honeypot
{
* non-transparent ... ;
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
lifetime ... ;
}
AK47 Honeypot parameters.
Listening addresses are never assigned to any real host, thus attempts to connect them is a symptom of port scanning by the client.
honeypot
section is derived from
listen-on
section prototype.
For detail description of it, see listen-on(5).
honeypot
section:Item transparent
is not valid.
stats-daily
{
top-clients ... ;
top-servers ... ;
}
stats-daily
section is derived from
summary
section prototype.
For detail description of it, see application(5).
stats-daily
section:Item top-users
is not valid.
Item top-groups
is not valid.
Item top-categories
is not valid.
Item top-senders
is not valid.
Item top-recipients
is not valid.
Item top-mime-types
is not valid.
Item top-qnames
is not valid.
Item top-qtypes
is not valid.
Item top-callers
is not valid.
Item top-receivers
is not valid.
Item top-sids
is not valid.
Item top-server-ports
is not valid.
Item spam-threshold
is not valid.
Section activity-report
is not valid.
Item top-src-ips
is not valid.
Item top-dst-ips
is not valid.
Item top-rules
is not valid.
stats-weekly
{
top-clients ... ;
top-servers ... ;
}
stats-weekly
section is derived from
summary
section prototype.
For detail description of it, see application(5).
stats-weekly
section:Item top-users
is not valid.
Item top-groups
is not valid.
Item top-categories
is not valid.
Item top-senders
is not valid.
Item top-recipients
is not valid.
Item top-mime-types
is not valid.
Item top-qnames
is not valid.
Item top-qtypes
is not valid.
Item top-callers
is not valid.
Item top-receivers
is not valid.
Item top-sids
is not valid.
Item top-server-ports
is not valid.
Item spam-threshold
is not valid.
Section activity-report
is not valid.
Item top-src-ips
is not valid.
Item top-dst-ips
is not valid.
Item top-rules
is not valid.
stats-monthly
{
top-clients ... ;
top-servers ... ;
}
stats-monthly
section is derived from
summary
section prototype.
For detail description of it, see application(5).
stats-monthly
section:Item top-users
is not valid.
Item top-groups
is not valid.
Item top-categories
is not valid.
Item top-senders
is not valid.
Item top-recipients
is not valid.
Item top-mime-types
is not valid.
Item top-qnames
is not valid.
Item top-qtypes
is not valid.
Item top-callers
is not valid.
Item top-receivers
is not valid.
Item top-sids
is not valid.
Item top-server-ports
is not valid.
Item spam-threshold
is not valid.
Section activity-report
is not valid.
Item top-src-ips
is not valid.
Item top-dst-ips
is not valid.
Item top-rules
is not valid.
lifetime
[sec
];Host record lifetime.
Hosts not seen within this period are removed from the DB.
sec
(type: uint32
, optional, default: 86400)[End of section ak47.honeypot
description.]
watchdog
name
{
id ... ;
file ... ;
* pattern ... ;
* threshold ... ;
lifetime ... ;
}
watchdog
section is derived from
watchdog
section prototype.
For detail description of it, see above.
[End of section ak47
description.]