ak47 — format of ak47 component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the ak47 component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in ak47 configuration directives:
ip-version (see common(5))osi4-proto (see common(5))listen-on-sock (see listen-on(5))Configuration of ak47 library component consists of following prototypes:
* watchdog name { ... }
ak47 { ... }
watchdog name {
id ... ;
file ... ;
* pattern ... ;
* threshold ... ;
lifetime ... ;
}
Watching patterns in files.
Watchdog identification must be specified.
At least one pattern must be specified.
id key;Watchdog Identification.
key (type: str)Source ID (both flag in central DB and table name in local DB).
file path;File being monitored.
path (type: str)pattern pat;Pattern being searched for.
pat (type: regexp)Searched pattern; IP adress position should be marked by parenthesis.
threshold count sec;Thresholds for watchdog failures.
If given number of attempts is found within given time period in the file, the client is added to the blacklist.
count (type: uint8)sec (type: uint32)Maximum COUNT value is 10..
lifetime [sec];Host record lifetime.
Hosts not seen within this period are removed from the DB.
sec (type: uint32, optional, default: 86400)[End of section watchdog description.]
ak47 {
upload ... ;
download ... ;
autonomous-mode ... ;
lifetime ... ;
cleanup-time ... ;
whitelist ... ;
max-entries ... ;
save-delay ... ;
honeypot { ... }
* watchdog name { ... }
}
Adaptive Kernun IDS/IPS Configuration.
DOWNLOAD and AUTONOMOUS-MODE are mutually exclusive.
upload [freq];Attributes for uploading IDS database to central server.
freq (type: uint32, optional, default: 15m)Default upload frequence in seconds
download [freq [dead]];Attributes for downloading IDS database from central server.
freq (type: uint32, optional, default: 15m)Default download frequence in seconds
dead (type: uint32, optional, default: 15d)Lifetime of IPS DB in case of server connectivity loss
autonomous-mode [freq];Attributes for autonomous-mode of IPS management.
freq (type: uint32, optional, default: 1m)Frequence of IPS database refresh from IDS data
lifetime [sec];Blacklist record lifetime.
Hosts not seen within this period are removed from the DB.
sec (type: uint32, optional, default: 86400)cleanup-time [hhmm];Time of day when the database cleanup is done.
At time given in this item, records for hosts not seen within particular LIFETIME period are removed.
hhmm (type: time, optional, default: 303)whitelist [list];Whitelist addresses.
list (type: host-set, optional, default: {})max-entries [size [reserve]];Maximum number of AK47 table entries hold in PF.
size (type: uint32, optional, default: 200000)Maximum table size.
reserve (type: uint32, optional, default: 0)Obsoleted.
save-delay [sec];SQL transaction maximum duration.
sec (type: uint32, optional, default: 1)honeypot {
* non-transparent ... ;
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
lifetime ... ;
}
AK47 Honeypot parameters.
Listening addresses are never assigned to any real host, thus attempts to connect them is a symptom of port scanning by the client.
honeypot section is derived from
listen-on section prototype.
For detail description of it, see listen-on(5).
honeypot section:Item transparent is not valid.
stats-daily {
top-clients ... ;
top-servers ... ;
}
stats-daily section is derived from
summary section prototype.
For detail description of it, see application(5).
stats-daily section:Item top-users is not valid.
Item top-groups is not valid.
Item top-categories is not valid.
Item top-senders is not valid.
Item top-recipients is not valid.
Item top-mime-types is not valid.
Item top-qnames is not valid.
Item top-qtypes is not valid.
Item top-callers is not valid.
Item top-receivers is not valid.
Item top-sids is not valid.
Item top-server-ports is not valid.
Item spam-threshold is not valid.
Section activity-report is not valid.
Item top-src-ips is not valid.
Item top-dst-ips is not valid.
Item top-rules is not valid.
stats-weekly {
top-clients ... ;
top-servers ... ;
}
stats-weekly section is derived from
summary section prototype.
For detail description of it, see application(5).
stats-weekly section:Item top-users is not valid.
Item top-groups is not valid.
Item top-categories is not valid.
Item top-senders is not valid.
Item top-recipients is not valid.
Item top-mime-types is not valid.
Item top-qnames is not valid.
Item top-qtypes is not valid.
Item top-callers is not valid.
Item top-receivers is not valid.
Item top-sids is not valid.
Item top-server-ports is not valid.
Item spam-threshold is not valid.
Section activity-report is not valid.
Item top-src-ips is not valid.
Item top-dst-ips is not valid.
Item top-rules is not valid.
stats-monthly {
top-clients ... ;
top-servers ... ;
}
stats-monthly section is derived from
summary section prototype.
For detail description of it, see application(5).
stats-monthly section:Item top-users is not valid.
Item top-groups is not valid.
Item top-categories is not valid.
Item top-senders is not valid.
Item top-recipients is not valid.
Item top-mime-types is not valid.
Item top-qnames is not valid.
Item top-qtypes is not valid.
Item top-callers is not valid.
Item top-receivers is not valid.
Item top-sids is not valid.
Item top-server-ports is not valid.
Item spam-threshold is not valid.
Section activity-report is not valid.
Item top-src-ips is not valid.
Item top-dst-ips is not valid.
Item top-rules is not valid.
lifetime [sec];Host record lifetime.
Hosts not seen within this period are removed from the DB.
sec (type: uint32, optional, default: 86400)[End of section ak47.honeypot description.]
watchdog name {
id ... ;
file ... ;
* pattern ... ;
* threshold ... ;
lifetime ... ;
}
watchdog section is derived from
watchdog section prototype.
For detail description of it, see above.
[End of section ak47 description.]