# XDP Defense - Unified Configuration
# Combines CIDR/country/whitelist blocking with DDoS rate limiting + AI detection

general:
  interface: eth0
  log_level: info          # debug, info, warning, error
  pid_file: /var/lib/xdp-defense/daemon.pid
  data_dir: /var/lib/xdp-defense
  bpf_dir: /opt/xdp-defense/bpf
  pin_path: /sys/fs/bpf/xdp-defense

blocker:
  enabled: true
  config_dir: /etc/xdp-blocker  # existing data path (blocklist, countries, whitelist)

rate_limits:
  default_pps: 1000        # packets per second threshold
  default_bps: 0           # bytes per second (0 = disabled)
  window_sec: 1            # time window in seconds

  # Time-based profiles (daemon switches automatically)
  profiles:
    business_hours:
      hours: "09:00-18:00"
      weekdays: "mon-fri"
      pps: 2000             # higher during business hours
      bps: 0
    night:
      hours: "00:00-06:00"
      pps: 500              # stricter at night
      bps: 0

escalation:
  # Violations before escalation
  rate_limit_after: 1       # violations before eBPF rate limiting kicks in
  temp_block_after: 5       # violations before temporary block
  perm_block_after: 999999  # effectively disabled

  # Temporary block duration (seconds)
  temp_block_duration: 300  # 5 minutes

  # Violation memory window (seconds) - violations older than this are forgotten
  violation_window: 600     # 10 minutes

  # Cooldown: after unblocking, track more aggressively
  cooldown_multiplier: 0.5  # multiply thresholds by this after recent block

ewma:
  alpha: 0.3               # EWMA smoothing factor (0-1, higher = more reactive)
  poll_interval: 1          # seconds between rate counter polls
  threshold_multiplier: 3.0 # alert when EWMA > multiplier * baseline

ai:
  enabled: true
  model_type: IsolationForest
  contamination: auto        # let sklearn decide boundary
  n_estimators: 100         # number of trees

  # Learning phase
  learning_duration: 86400  # 24 hours baseline collection
  min_samples: 1000         # minimum samples before training

  # Inference
  poll_interval: 5          # seconds between feature reads
  anomaly_threshold: -0.16  # sklearn decision_function threshold

  # Retraining
  retrain_interval: 86400   # auto-retrain interval (seconds, default 24h)
  retrain_window: 86400     # data range for retrain (most recent N seconds)
  model_file: /var/lib/xdp-defense/ai_model.pkl
  training_data_file: /var/lib/xdp-defense/training_data.csv

  # Traffic logging
  traffic_log_file: /var/lib/xdp-defense/traffic_log.csv
  traffic_log_retention_days: 7  # days to keep traffic log data