config global 'settings'
	option enabled '1'
	option mode 'dual'
	option correlation '1'
	option stats_dir '/tmp/secubox'
	option flow_dir '/tmp/dpi-flows'

config mitm 'mitm'
	option enabled '1'
	option buffer_size '1000'
	option async_analysis '1'
	option replay_on_alert '1'
	option buffer_dir '/tmp/dpi-buffer'

config tap 'tap'
	option enabled '1'
	option interface 'tap0'
	option mirror_source 'eth0'
	option mirror_mode 'software'
	option flow_retention '300'
	option netifyd_instance 'tap'

config correlation 'correlation'
	option enabled '1'
	option window '60'
	option output '/tmp/secubox/correlated-threats.json'
	option watch_crowdsec '1'
	option auto_ban '0'
	option auto_ban_threshold '80'
	option auto_ban_duration '4h'
	option notifications '1'
	option notification_threshold '70'
	option reputation_decay '5'
	option decay_interval '3600'
	# Sensitivity preset: low, medium, high, custom
	option sensitivity 'medium'

# Event scoring weights (used when sensitivity=custom)
config scoring 'scoring'
	option waf_block '25'
	option waf_alert '15'
	option crowdsec_ban '30'
	option dpi_threat '20'
	option scanner '35'
	option brute_force '40'
	option default '10'

# Sensitivity presets
# low: fewer false positives, only clear threats trigger ban
# medium: balanced detection (default)
# high: aggressive, more false positives but catches more threats

# Whitelist - IPs that should never be auto-banned
config whitelist 'whitelist'
	list ip '127.0.0.1'
	list ip '192.168.255.1'
	# Add trusted IPs here:
	# list ip '10.0.0.0/8'
	# list ip '192.168.0.0/16'

# LAN TAP - Real-time passive flow analysis
# No MITM, no caching - just nDPI flow monitoring
config lan 'lan'
	option enabled '1'
	option interface 'br-lan'
	option realtime '1'
	option track_clients '1'
	option track_destinations '1'
	option track_protocols '1'
	option aggregate_interval '5'
	option client_retention '3600'
	option netifyd_instance 'lan'