# # Daemon options # # Hosts to exclude from being blocked excludefile = /usr/local/etc/netsquid.exclude # Hosts that are currently blocked (read/write) blockedhosts = /var/log/netsquid/hosts # History of hosts that have been blocked (directory) blockedhistory = /var/log/netsquid/history # Time Units, minutes or hours is allowed as is min or hr unit = minutes # Time limit (calculated in units) limit = 15 # IP of the host to redirect to, commonly the IP of the bridge redirectip = 127.0.0.1 # A single DNS server or list of DNS servers to allow traffic to # the list should be comma seperated DNS = # Exclude HTTP # This can be a host that you don't want HTTP redirected for # For example: A patch server HTTP = # Location of the tail binary (defaults to /usr/bin/tail) tail = # # Other types of blocking # # Blocked based on class instead of all alerts triggered # 1 = yes 0 = no classblock = 1 # Block on the following classes, can be a ',' seperated list # must be how they appear in /etc/classification.config classes = Misc activity, SCORE! Get the lotion! # # Snort related config # 'snort' and 'snortconf' need only be spcified if you are # starting snort from within the daemon. '-s' flag # # Location of snort alert file defaults to /var/log/snort/alert alertfile = /var/log/snort/alert # Location of snort binary (defaults to /usr/local/bin/snort) snort = # Location of snort.conf (defaults to /etc/snort.conf) snortconf = # # DHCP server detection options # # Discover rogue DHCP servers 1 = yes 0 = no dhcpdetect = 0 # Time limit (caclulated in units) to send DHCP discover packets # Only works if dhcpdetect = 1, dhcpsleep = 15 # Send email alert when rogue DHCP server found? dhcpemailalert = 1 # MAC address of localhost mac = 00:30:48:42:76:3C # Interface to send discover packets out of, br0 works nicely # for Linux hosts in bridge mode interface = br0 # # Email setup # requires sendmail to be installed # # Location of Sendmail Binary sendmail = /usr/bin/sendmail # To, who to address the email to to = you@your.org # Carbon Copies, comma seperate list of email addresses works fine #cc = admin@your.org, boss@your.org cc = # Subject subject = Rogue DHCP server(s) detected in Network X # From from = netsquid@your.org