Example Configuration Files

This directory contains example configuration files for production IBSR deployments.

Files

File Description Install Location
ibsr.service Systemd service unit /etc/systemd/system/ibsr.service
ibsr-logrotate Logrotate config for status.jsonl /etc/logrotate.d/ibsr

Quick Setup 

# Create output directory
sudo mkdir -p /var/lib/ibsr/snapshots

# Install systemd service
sudo cp ibsr.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable ibsr
sudo systemctl start ibsr

# Install logrotate config
sudo cp ibsr-logrotate /etc/logrotate.d/ibsr

Customization

Systemd Service

Edit the ExecStart line to customize:

ExecStart=/usr/local/bin/ibsr collect \
    -p 22 -p 80 -p 443 \          # Ports to monitor
    --out-dir /var/lib/ibsr/snapshots \
    --max-files 3600 \             # Max snapshot files
    --max-age 86400 \              # Max age in seconds
    --map-size 100000 \            # BPF map size
    -v                             # Verbosity

Logrotate

The default config rotates status.jsonl daily with 7-day retention. Adjust rotate and daily/weekly as needed.

Example Report Output

Below is an example report.md showing the format of IBSR reports.

Note: In pilot deployments, reports are generated by NullRabbit from your uploaded snapshots. You do not need to run ibsr-report yourself - the example below shows what you will receive.

This example shows a report when no abuse is detected, representing normal traffic conditions.

# IBSR Report

## 1. Scope & Configuration

- **Time window start**: 1767877804
- **Time window end**: 1767951184
- **Duration**: 73380 seconds
- **Destination ports**: 22, 80, 443, 8080, 8443, 9200
- **Window size**: 10 seconds
- **SYN rate threshold**: 100.0 SYN/sec
- **Success ratio threshold**: 0.10
- **Block duration**: 300 seconds
- **Allowlist**: None configured

## 2. Abuse Pattern Observed

No abuse pattern detected matching the trigger conditions.

## 3. Counterfactual Enforcement Impact

### Blocked Traffic (if rules were enforced)

- **Packets blocked**: 0.0%
- **Bytes blocked**: 0.0%
- **SYN blocked**: 0.0%

### False Positive Bound

- **FP bound**: 0.0%
- No likely legitimate traffic would be blocked.

### Uncertainty

- Analysis based on 11556 total packets, 4985 total SYN.

## 4. Candidate Enforcement Rules

{
  "version": 3,
  "generated_at": 1769175097,
  "match_criteria": {
    "proto": "tcp",
    "dst_ports": [22, 80, 443, 8080, 8443, 9200]
  },
  "triggers": [],
  "exceptions": []
}

## 5. Readiness Judgment

**This abuse class IS NOT safe for autonomous enforcement.**

Gating reasons:

- No abuse pattern detected

When abuse is detected, the report includes specific trigger rules, episode details, and a recommendation on whether enforcement is safe.

See Also

This site uses Just the Docs, a documentation theme for Jekyll.