|
| 1 | +# Configuration Reference |
| 2 | + |
| 3 | +pxSentinel's configuration is split across three files in the `shared/` directory. Each file is loaded by `fxmanifest.lua` before the main server script runs, so all values are available at startup. |
| 4 | + |
| 5 | +--- |
| 6 | + |
| 7 | +## `shared/config.lua` — General Settings |
| 8 | + |
| 9 | +```lua |
| 10 | +Config = {} |
| 11 | + |
| 12 | +Config.Enable = true |
| 13 | +Config.ConsolePrint = true |
| 14 | +Config.StopResources = false |
| 15 | +Config.StopServer = false |
| 16 | +Config.ScanDelay = 5000 |
| 17 | + |
| 18 | +Config.Discord = { |
| 19 | + Enabled = true, |
| 20 | + Webhook = GetConvar('pxSentinel:webhook', ''), |
| 21 | +} |
| 22 | +``` |
| 23 | + |
| 24 | +### Options |
| 25 | + |
| 26 | +| Option | Type | Default | Description | |
| 27 | +|---|---|---|---| |
| 28 | +| `Config.Enable` | `boolean` | `true` | Master switch. Set to `false` to disable all scanning and event handling. | |
| 29 | +| `Config.ConsolePrint` | `boolean` | `true` | Print a structured detection report to the server console when a signature is matched. Includes the resource name, file path, matched signature, and a numbered remediation checklist. | |
| 30 | +| `Config.StopResources` | `boolean` | `false` | Call `StopResource()` on each infected resource immediately after detection. See the [kill-switch warning](detection-response.md#the-kill-switch-problem) before enabling. | |
| 31 | +| `Config.StopServer` | `boolean` | `false` | Call `os.exit(1)` to halt the server after all detections have been handled and the Discord alert has been dispatched. | |
| 32 | +| `Config.ScanDelay` | `number` | `5000` | Milliseconds to wait from self-start before running the initial full scan. This allows other resources time to register their file metadata. Increase this value if your server has a very large number of resources. | |
| 33 | +| `Config.Discord.Enabled` | `boolean` | `true` | Send a Discord embed alert when a detection occurs. Requires a valid webhook URL. | |
| 34 | +| `Config.Discord.Webhook` | `string` | `""` | The Discord webhook URL. Reads from the `pxSentinel:webhook` server convar by default. Hardcoding a URL here works but is not recommended. | |
| 35 | + |
| 36 | +### Notes on containment options |
| 37 | + |
| 38 | +When both `Config.StopResources` and `Config.StopServer` are `true`, pxSentinel stops each infected resource first and then halts the server. The Discord alert is sent before either action. |
| 39 | + |
| 40 | +`Config.StopResources` defaults to `false` because sophisticated backdoors hook `onResourceStop` and call `os.exit()` as a self-defense mechanism. See [Detection & Response](detection-response.md) for the full explanation and the recommended manual workflow. |
| 41 | + |
| 42 | +--- |
| 43 | + |
| 44 | +## `shared/blocked.lua` — Malware Signatures |
| 45 | + |
| 46 | +Defines `Config.Signatures`, a list of plain-text strings. Every string in this list is checked against the content of every server script file in every loaded resource. |
| 47 | + |
| 48 | +```lua |
| 49 | +Config.Signatures = { |
| 50 | + 'cipher-panel', |
| 51 | + 'blum-panel', |
| 52 | + 'ketamin.cc', |
| 53 | + -- ... |
| 54 | +} |
| 55 | +``` |
| 56 | + |
| 57 | +Signatures are plain strings. **Lua pattern metacharacters (`.`, `*`, `+`, `(`, `%`, etc.) are always treated as literals** — never as pattern syntax. This is enforced by passing `true` as the fourth argument to `string.find` on every match call. |
| 58 | + |
| 59 | +This means domain-style signatures like `vac.sv` match the literal string `vac.sv`, not "any character followed by sv". |
| 60 | + |
| 61 | +The list is organised into comment-delimited sections: |
| 62 | + |
| 63 | +| Section | What it covers | |
| 64 | +|---|---| |
| 65 | +| Panel domains | Known hosting domains for backdoor control panels | |
| 66 | +| Obfuscator watermarks | Fingerprints left by specific obfuscation tools (Luraph, IronBrew, obfuscator.io) | |
| 67 | +| Exfiltration patterns | Strings associated with credential harvesting and data exfiltration | |
| 68 | +| C2 infrastructure | Known command-and-control domains and identifiers | |
| 69 | +| JavaScript RCE patterns | Obfuscated JS patterns common in Node.js-based payloads | |
| 70 | + |
| 71 | +Hex-encoded variants of domain signatures (e.g. `\x63\x69\x70\x68\x65\x72`) are included alongside their plain-text equivalents to catch basic encoding evasion attempts. |
| 72 | + |
| 73 | +See [Signatures](signatures.md) for guidance on adding and maintaining entries. |
| 74 | + |
| 75 | +--- |
| 76 | + |
| 77 | +## `shared/allowed.lua` — Safe Resources |
| 78 | + |
| 79 | +Defines `Config.SafeResources`, a list of resource folder names that pxSentinel will never scan. Any resource on this list is skipped entirely — no files are read. |
| 80 | + |
| 81 | +```lua |
| 82 | +Config.SafeResources = { |
| 83 | + 'chat', |
| 84 | + 'spawnmanager', |
| 85 | + 'ox_lib', |
| 86 | + 'qb-core', |
| 87 | + 'es_extended', |
| 88 | + -- ... |
| 89 | +} |
| 90 | +``` |
| 91 | + |
| 92 | +The default list includes: |
| 93 | +- CFx / Cfx.re platform resources (`chat`, `spawnmanager`, `mapmanager`, etc.) |
| 94 | +- txAdmin / monitor |
| 95 | +- Build system resources (`webpack`, `yarn`) |
| 96 | +- The ox stack (`ox_lib`, `ox_inventory`, `ox_target`, etc.) |
| 97 | +- QBCore resources |
| 98 | +- ESX resources |
| 99 | +- Common trusted standalone resources (`oxmysql`, `pma-voice`, `saltychat`, etc.) |
| 100 | +- CodeMeAPixel resources |
| 101 | + |
| 102 | +pxSentinel itself (`pxSentinel`) is always excluded from scanning regardless of this list. |
| 103 | + |
| 104 | +See [Safe Resources](safe-resources.md) for guidance on managing this list. |
0 commit comments