Last active
July 15, 2025 17:45
-
-
Save niedbalski/8f9811abb8cef0f6ddcdfca502626aed to your computer and use it in GitHub Desktop.
Jibril Network Policy config
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #### Jibril Configuration File. | |
| #### Basic configuration. | |
| log-level: info | |
| stdout: stdout | |
| stderr: stderr | |
| chop-lines: false | |
| no-health: false | |
| profiler: true | |
| cardinal: true | |
| daemon: false | |
| notify: false | |
| #### Extensions, plugins and printers. | |
| extension: | |
| #### Enable extensions here | |
| # - example | |
| # - simple | |
| - config | |
| - data | |
| - jibril | |
| plugin: | |
| #### Enable plugins here | |
| # - example:helloworld | |
| # - simple:printers | |
| - jibril:hold | |
| - jibril:procfs | |
| - jibril:printers | |
| # - jibril:jbconfig | |
| # - jibril:pause | |
| - jibril:alchemies:builtin=true | |
| - jibril:detect | |
| #- jibril:attenuator:enabled=true:model=o3:temperature=1:mode=reason | |
| # - jibril:attenuator:enabled=true:model=o3:temperature=1:mode=block | |
| # - jibril:netpolicy:file=/var/run/secrets/jibril/network-policy.yaml | |
| # - jibril:github | |
| printer: | |
| ### Enable printers here | |
| # - simple:printers:voidprinter | |
| - jibril:printers:stdout | |
| # - jibril:printers:stdout:raw=true | |
| # - jibril:printers:varlog | |
| # - jibril:printers:garnet | |
| # - jibril:printers:garnet:error_log_rate=30s | |
| # - jibril:github:listendev | |
| # - jibril:github:listendevdebug | |
| #### Event configuration. | |
| event: | |
| #### Informational events about network policy applied | |
| # - jibril:netpolicy:dropip | |
| # - jibril:netpolicy:dropdomain | |
| #### Informational events about network flows | |
| # - jibril:detect:flow | |
| #### Detection recipes for file access patterns | |
| - jibril:detect:file_example | |
| - jibril:detect:auth_logs_tamper | |
| - jibril:detect:binary_self_deletion | |
| - jibril:detect:capabilities_modification | |
| - jibril:detect:code_modification_through_procfs | |
| - jibril:detect:core_pattern_access | |
| - jibril:detect:cpu_fingerprint | |
| - jibril:detect:credentials_files_access | |
| - jibril:detect:crypto_miner_files | |
| - jibril:detect:environ_read_from_procfs | |
| - jibril:detect:filesystem_fingerprint | |
| - jibril:detect:global_shlib_modification | |
| - jibril:detect:java_debug_lib_load | |
| - jibril:detect:java_instrument_lib_load | |
| - jibril:detect:machine_fingerprint | |
| - jibril:detect:os_fingerprint | |
| - jibril:detect:os_network_fingerprint | |
| - jibril:detect:os_status_fingerprint | |
| - jibril:detect:package_repo_config_modification | |
| - jibril:detect:pam_config_modification | |
| - jibril:detect:sched_debug_access | |
| - jibril:detect:shell_config_modification | |
| - jibril:detect:ssl_certificate_access | |
| - jibril:detect:sudoers_modification | |
| - jibril:detect:sysrq_access | |
| - jibril:detect:unprivileged_bpf_config_access | |
| ##### Detection recipes for execution patterns | |
| - jibril:detect:exec_example | |
| - jibril:detect:binary_executed_by_loader | |
| - jibril:detect:code_on_the_fly | |
| #- jibril:detect:credentials_text_lookup | |
| - jibril:detect:crypto_miner_execution | |
| - jibril:detect:data_encoder_exec | |
| - jibril:detect:denial_of_service_tools | |
| - jibril:detect:exec_from_unusual_dir | |
| - jibril:detect:file_attribute_change | |
| - jibril:detect:hidden_elf_exec | |
| - jibril:detect:interpreter_shell_spawn | |
| - jibril:detect:net_filecopy_tool_exec | |
| - jibril:detect:net_mitm_tool_exec | |
| - jibril:detect:net_scan_tool_exec | |
| - jibril:detect:net_sniff_tool_exec | |
| - jibril:detect:net_suspicious_tool_exec | |
| - jibril:detect:net_suspicious_tool_shell | |
| - jibril:detect:passwd_usage | |
| - jibril:detect:runc_suspicious_exec | |
| - jibril:detect:webserver_exec | |
| - jibril:detect:webserver_shell_exec | |
| ##### Detection recipes for network peers patterns | |
| - jibril:detect:peer_example | |
| - jibril:detect:adult_domain_access | |
| - jibril:detect:badware_domain_access | |
| #- jibril:detect:cloud_metadata_access | |
| - jibril:detect:dyndns_domain_access | |
| - jibril:detect:fake_domain_access | |
| - jibril:detect:gambling_domain_access | |
| - jibril:detect:piracy_domain_access | |
| - jibril:detect:plaintext_communication | |
| - jibril:detect:threat_domain_access | |
| - jibril:detect:tracking_domain_access | |
| - jibril:detect:vpnlike_domain_access | |
| #### Advanced configuration. | |
| # | |
| # Cadence configuration. | |
| # | |
| # Note: The cadence interval determines how often behavioral patterns are evaluated, not | |
| # the detection accuracy itself. All monitored resources maintain cached behavioral state | |
| # that gets analyzed at each cadence interval. Shorter intervals may increase CPU usage | |
| # and require larger cache sizes to avoid losing behavioral data. Detection accuracy | |
| # depends on the combination of evaluation frequency, the rate of behavioral changes | |
| # between intervals, and cache capacity. | |
| # | |
| cadences: | |
| file_access: 6 # 15 sec interval in between file access patterns check. | |
| network_peers: 6 # 15 sec interval in between network peers patterns check. | |
| network_flows: 6 # 15 sec interval in between network flows patterns check. | |
| # | |
| # Cache configuration. | |
| # | |
| # Note: The cache size determines how much behavioral data is stored for each monitored | |
| # resource. Larger caches can improve detection accuracy by providing more context for | |
| # pattern analysis, but require bigger memory footprint. The cache size should be adjusted | |
| # based on the expected rate of behavioral changes and the desired detection accuracy. | |
| # | |
| #### Average: | |
| #### Average memory consumption. | |
| #### Reasonable file-access miss-detection. | |
| caches: | |
| #### Tasks. | |
| jb_tasks: 65536 # Tasks. | |
| jb_cmds: 32768 # Commands. | |
| jb_args: 32768 # Arguments. | |
| jb_rectasks: 4096 # Recent tasks. | |
| jb_thashcache: 4096 # Task hash cache. | |
| #### Files. | |
| jb_files: 32768 # Files. | |
| jb_dirs: 8192 # Directories. | |
| jb_bases: 16384 # Bases. | |
| #### Files references. | |
| jb_filetask: 32768 # File + Task. | |
| jb_taskfile: 32768 # Task + File. | |
| jb_filerefs: 32768 # File references. | |
| #### Flows. | |
| jb_flows: 32768 # Flows. | |
| #### Flows references. | |
| jb_taskflow: 32768 # Task + Flow. | |
| jb_flowtask: 32768 # Flow + Task. | |
| jb_flowrefs: 32768 # Flow references. | |
| #### Domains. | |
| jb_domains: 16384 # Domains. | |
| jb_canons: 16384 # Canonical domains. | |
| jb_peers: 16384 # Peers. | |
| #### Heavy I/O: | |
| #### Bigger memory consumption. | |
| #### Lower miss-detection. | |
| # caches: | |
| # #### Tasks. | |
| # jb_tasks: 65536 | |
| # jb_cmds: 32768 | |
| # jb_args: 32768 | |
| # jb_rectasks: 32768 | |
| # jb_thashcache: 8192 | |
| # #### Files. | |
| # jb_files: 32768 | |
| # jb_dirs: 32768 | |
| # jb_bases: 32768 | |
| # #### Files references. | |
| # jb_filetask: 524288 | |
| # jb_taskfile: 524288 | |
| # jb_filerefs: 524288 | |
| # #### Flows. | |
| # jb_flows: 32768 | |
| # #### Flows references. | |
| # jb_taskflow: 131072 | |
| # jb_flowtask: 131072 | |
| # jb_flowrefs: 131072 | |
| # #### Domains. | |
| # jb_domains: 32768 | |
| # jb_canons: 32768 | |
| # jb_peers: 32768 | |
| #### Low Footprint: | |
| #### Small memory consumption. | |
| #### Possible file-access miss-detection. | |
| # caches: | |
| # #### Tasks. | |
| # jb_tasks: 16384 | |
| # jb_cmds: 8192 | |
| # jb_args: 8192 | |
| # jb_rectasks: 8192 | |
| # jb_thashcache: 4096 | |
| # #### Files. | |
| # jb_files: 8192 | |
| # jb_dirs: 8192 | |
| # jb_bases: 8192 | |
| # #### Files references. | |
| # jb_filetask: 16384 | |
| # jb_taskfile: 16384 | |
| # jb_filerefs: 16384 | |
| # #### Flows. | |
| # jb_flows: 8192 | |
| # #### Flows references. | |
| # jb_taskflow: 16384 | |
| # jb_flowtask: 16384 | |
| # jb_flowrefs: 16384 | |
| # # Domains. | |
| # jb_domains: 8192 | |
| # jb_canons: 8192 | |
| # jb_peers: 8192 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| network_policy: | |
| # cidr_mode: "alert" | |
| cidr_mode: "both" | |
| cidr_policy: "allow" | |
| resolve_mode: "alert" | |
| resolve_policy: "allow" | |
| rules: | |
| # Whitelist Everything (test only). | |
| # - cidr: "0.0.0.0/0" | |
| # policy: "allow" | |
| # Whitelisted CIDRs (localhost). | |
| - cidr: "127.0.0.0/8" | |
| policy: "allow" | |
| - cidr: "::1/128" | |
| policy: "allow" | |
| # Whitelisted CIDRs (internal networks). | |
| - cidr: "192.168.0.0/16" | |
| policy: "allow" | |
| - cidr: "172.16.0.0/16" | |
| policy: "allow" | |
| - cidr: "10.0.0.0/8" | |
| policy: "allow" | |
| - cidr: "10.0.0.1/32" | |
| policy: "allow" | |
| # Whitelisted CIDRs (nameservers). | |
| - cidr: "8.8.8.8/32" | |
| policy: "allow" | |
| - cidr: "8.8.4.4/32" | |
| policy: "allow" | |
| - cidr: "1.1.1.1/32" | |
| policy: "allow" | |
| - cidr: "9.9.9.9/32" | |
| policy: "allow" | |
| # Whitelisted Domains. | |
| # - domain: "org" | |
| # policy: "allow" | |
| # - domain: "google.com" | |
| # policy: "allow" | |
| #- domain: "example.com" | |
| # policy: "deny" | |
| # - domain: "uol.com.br" | |
| # policy: "deny" | |
| # - domain: "a.b.c.d.e.f.g.h.i.j.k.l.m.n.o.p.q.r.s.t.u.v.w.x.y.z.com.br" | |
| # policy: "deny" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment