config global 'settings'
	option enabled '1'
	option mode 'dual'
	option correlation '1'
	option stats_dir '/tmp/secubox'
	option flow_dir '/tmp/dpi-flows'

config mitm 'mitm'
	option enabled '1'
	option buffer_size '1000'
	option async_analysis '1'
	option replay_on_alert '1'
	option buffer_dir '/tmp/dpi-buffer'

config tap 'tap'
	option enabled '1'
	option interface 'tap0'
	option mirror_source 'eth0'
	option mirror_mode 'software'
	option flow_retention '300'
	option netifyd_instance 'tap'

config correlation 'correlation'
	option enabled '1'
	option window '60'
	option output '/tmp/secubox/correlated-threats.json'
	option watch_crowdsec '1'
	option auto_ban '0'
	option auto_ban_threshold '80'
	option notifications '1'
	option reputation_decay '5'

# LAN TAP - Real-time passive flow analysis
# No MITM, no caching - just nDPI flow monitoring
config lan 'lan'
	option enabled '1'
	option interface 'br-lan'
	option realtime '1'
	option track_clients '1'
	option track_destinations '1'
	option track_protocols '1'
	option aggregate_interval '5'
	option client_retention '3600'
	option netifyd_instance 'lan'