Files
sif/docs/configuration.md
T
Tigah 9f3b9eaa55 feat(frameworks): add config-defined custom detectors (#160)
load yaml-defined detectors from ~/.config/sif/signatures (AppData\Local
on windows), mirroring the user-modules convention, so a framework sif
does not ship can be detected without a rebuild. they load lazily once
per run from DetectFramework and register alongside the built-ins.

each file is one detector, scored by the same weighted signature match as
the built-ins. confidence is linear rather than their sigmoid (importing
it would cycle), so a detector clears the 0.5 threshold once its matched
weights pass half. a name matching a built-in overrides it and inherits
that built-in's version patterns and cves, the same as a user module. a
single unparseable file warns and is skipped rather than failing the scan.

implements the custom signature support help-wanted item in contributing.
2026-06-22 18:24:02 -07:00

3.9 KiB

configuration

runtime configuration options for sif.

environment variables

SHODAN_API_KEY

required for shodan lookups.

export SHODAN_API_KEY=your-api-key-here
./sif -u https://example.com -shodan

command line options

timeout

default request timeout is 10 seconds.

# increase for slow targets
./sif -u https://example.com -t 30s

# decrease for fast scans
./sif -u https://example.com -t 5s

threads

default is 10 concurrent threads.

# more threads for faster scanning
./sif -u https://example.com --threads 50

# fewer threads to reduce load
./sif -u https://example.com --threads 5

logging

save output to files:

./sif -u https://example.com -l ./logs

creates timestamped log files in the specified directory.

debug mode

enable verbose logging:

./sif -u https://example.com -d

templates

-template loads a batch of scan settings from a built-in preset or a local yaml file, so a run does not have to pass every flag. see the usage guide for the presets and file format. command-line flags still take precedence over the template.

sif also reads an ambient config at ~/.config/sif/config.yaml (created on first run) keyed by the same flag names. passing -template uses that template as the config for the run instead of the ambient file.

user modules

place custom modules in:

  • linux/macos: ~/.config/sif/modules/
  • windows: %LOCALAPPDATA%\sif\modules\

directory structure

~/.config/sif/
├── modules/
│   ├── http/
│   │   └── my-sqli-check.yaml
│   ├── recon/
│   │   └── custom-paths.yaml
│   └── my-module.yaml

modules can be organized in subdirectories or placed directly in the modules folder.

overriding built-in modules

user modules with the same id as built-in modules will override them:

# ~/.config/sif/modules/sqli-error-based.yaml
# this overrides the built-in sqli-error-based module

id: sqli-error-based
info:
  name: my custom sqli check
  # ...

custom signatures

framework detection (-framework) also loads user-defined detectors from yaml files, so a framework sif does not ship can be detected without rebuilding:

  • linux/macos: ~/.config/sif/signatures/
  • windows: %LOCALAPPDATA%\sif\signatures\

each file defines one detector; place them directly in the directory, as subdirectories are not scanned. header: true matches a response header name or value (case-insensitive) instead of the body; the optional version block pulls a version out of the body.

# ~/.config/sif/signatures/ghost.yaml
name: Ghost
signatures:
  - pattern: 'content="Ghost'
    weight: 0.6
  - pattern: 'X-Ghost-Cache'
    weight: 0.4
    header: true
version:
  regex: 'content="Ghost ([0-9.]+)'
  group: 1

a detector reports a match once its matched signature weights sum past half, so weight your signatures to total about 1.0. a name matching a built-in detector overrides it and inherits that built-in's version patterns and known cves, the same as user modules.

performance tuning

fast scans

./sif -u https://example.com \
  --threads 50 \
  -t 5s \
  -dirlist small \
  -dnslist small

thorough scans

./sif -u https://example.com \
  --threads 10 \
  -t 30s \
  -dirlist large \
  -dnslist large \
  -ports full

low-impact scans

reduce load on target:

./sif -u https://example.com \
  --threads 2 \
  -t 10s

output formats

console (default)

human-readable output with colors and formatting.

json (api mode)

./sif -u https://example.com -api

returns structured json:

{
  "url": "https://example.com",
  "results": [
    {
      "id": "sqli-error-based",
      "data": {
        "findings": [...]
      }
    }
  ]
}

log files

./sif -u https://example.com -l ./logs

creates separate log files for each scan type.