examples/ghost.toml

# Ghost Detection Engine Configuration
# This file contains all configurable options for the detection engine.

# Enable or disable shellcode pattern detection
shellcode_detection = true

# Enable or disable process hollowing detection
hollowing_detection = true

# Enable or disable Windows hook injection detection
hook_detection = true

# Minimum confidence threshold for suspicious classification (0.0 - 1.0)
# Lower values are more sensitive but may produce false positives
confidence_threshold = 0.3

# Skip known safe system processes to improve performance
skip_system_processes = true

# Maximum memory size to scan per process in bytes (100MB default)
max_memory_scan_size = 104857600

# Enable thread behavior analysis
thread_analysis_enabled = true

# Enable evasion technique detection (anti-debugging, VM detection, etc.)
evasion_detection = true

# Enable MITRE ATT&CK framework mapping
mitre_mapping = true

# Scan interval in milliseconds for continuous monitoring
scan_interval_ms = 2000

# Optional process filter configuration
[process_filter]
# Whitelist: only scan these processes (empty means scan all)
whitelist = []

# Blacklist: never scan these processes
blacklist = []

# System processes to skip (Windows-specific)
system_processes = [
    "csrss.exe",
    "wininit.exe",
    "winlogon.exe",
    "dwm.exe",
    "explorer.exe",
    "smss.exe",
    "services.exe",
    "lsass.exe"
]
refactor: comprehensive codebase improvements and documentation - Enhanced error handling with expanded GhostError variants and From impls - Fixed race conditions in TUI (ui.rs unwrap calls) - Added comprehensive module documentation with doc comments - Improved type safety with proper validation in DetectionConfig - Implemented Linux process enumeration via procfs - Refactored TUI for better state management and removed emojis - Enhanced CLI with proper logging initialization - Added example configuration file (examples/ghost.toml) - Updated README with complete feature documentation - Added performance optimizations (saturating arithmetic, reduced clones) - Improved testing framework with proper struct initialization - Added validation and preset modes to DetectionConfig 2025-11-17 21:28:37 +02:00			`# Ghost Detection Engine Configuration`
			`# This file contains all configurable options for the detection engine.`

			`# Enable or disable shellcode pattern detection`
			`shellcode_detection = true`

			`# Enable or disable process hollowing detection`
			`hollowing_detection = true`

			`# Enable or disable Windows hook injection detection`
			`hook_detection = true`

			`# Minimum confidence threshold for suspicious classification (0.0 - 1.0)`
			`# Lower values are more sensitive but may produce false positives`
			`confidence_threshold = 0.3`

			`# Skip known safe system processes to improve performance`
			`skip_system_processes = true`

			`# Maximum memory size to scan per process in bytes (100MB default)`
			`max_memory_scan_size = 104857600`

			`# Enable thread behavior analysis`
			`thread_analysis_enabled = true`

			`# Enable evasion technique detection (anti-debugging, VM detection, etc.)`
			`evasion_detection = true`

			`# Enable MITRE ATT&CK framework mapping`
			`mitre_mapping = true`

			`# Scan interval in milliseconds for continuous monitoring`
			`scan_interval_ms = 2000`

			`# Optional process filter configuration`
			`[process_filter]`
			`# Whitelist: only scan these processes (empty means scan all)`
			`whitelist = []`

			`# Blacklist: never scan these processes`
			`blacklist = []`

			`# System processes to skip (Windows-specific)`
			`system_processes = [`
			`"csrss.exe",`
			`"wininit.exe",`
			`"winlogon.exe",`
			`"dwm.exe",`
			`"explorer.exe",`
			`"smss.exe",`
			`"services.exe",`
			`"lsass.exe"`
			`]`