| # Configuration file for MayOne Security Framework | |
| # Detection thresholds | |
| THRESHOLD = 0.6 # Risk threshold (0-1) above which action is taken | |
| TIME_WINDOW = 10 # Time window in seconds for burst/scan detection | |
| PORT_SCAN_THRESHOLD = 20 # Number of unique ports from one src in TIME_WINDOW | |
| BRUTE_FORCE_THRESHOLD = 10 # Number of failed-like packets (e.g., TCP to port 22/3389) | |
| DDoS_THRESHOLD = 100 # Packets per second from one src to trigger DDoS suspicion | |
| BURST_THRESHOLD = 50 # Packets in 1 second from one src | |
| # Response | |
| AUTO_BLOCK = True # Automatically block IP via Windows Firewall | |
| LOG_LEVEL = "INFO" # DEBUG, INFO, WARNING, ERROR | |
| REPORT_INTERVAL = 600 # Seconds between automatic reports (10 minutes) | |
| # Network interface to sniff (use None for default) | |
| NETWORK_INTERFACE = None # e.g., "Ethernet" or "Wi-Fi" | |
| # Dashboard | |
| DASHBOARD_HOST = "127.0.0.1" | |
| DASHBOARD_PORT = 5000 | |
| # Database | |
| DB_PATH = "database/security_events.db" | |
| # Whitelisted private IP ranges (CIDR) | |
| PRIVATE_RANGES = [ | |
| "127.0.0.0/8", | |
| "10.0.0.0/8", | |
| "172.16.0.0/12", | |
| "192.168.0.0/16", | |
| ] | |
| # GeoIP blocking | |
| ENABLE_GEOIP_BLOCK = True # Default state (can be toggled from dashboard) | |
| GEOIP_DB_PATH = "geoip/GeoLite2-Country.mmdb" | |
| HIGH_RISK_COUNTRIES = ["RU", "CN", "KP", "IR", "SY", "UA", "AF", "IQ", "LY", "SO"] | |
| # PCAP export | |
| PCAP_BUFFER_SIZE = 10000 # Max number of raw packets to keep |