feat(mitmproxy): Add enhanced threat patterns and README

Add modern attack detection patterns: - SSTI (Jinja2, Twig, FreeMarker, ERB, Thymeleaf) - Prototype Pollution (__proto__, constructor[]) - GraphQL abuse (introspection, deep nesting) - JWT attacks (alg:none bypass, exposed tokens) - CVE-2024-21887 (Ivanti Connect Secure) - CVE-2024-1709 (ScreenConnect auth bypass) - CVE-2024-27198 (TeamCity auth bypass) Add comprehensive README documenting: - Threat detection patterns and categories - CrowdSec integration and scenarios - GeoIP database setup - File paths and dependencies Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 05:45:25 +01:00 · 2026-02-01 05:45:25 +01:00 · 29f55ec6bc
commit 29f55ec6bc
parent 37d7b066ed
2 changed files with 151 additions and 0 deletions
--- a/package/secubox/secubox-app-mitmproxy/README.md
+++ b/package/secubox/secubox-app-mitmproxy/README.md
@ -0,0 +1,81 @@
+# SecuBox mitmproxy App
+
+LXC container with mitmproxy for HTTPS traffic inspection and threat detection.
+
+## Components
+
+| Component | Description |
+|-----------|-------------|
+| **LXC Container** | Debian-based container with mitmproxy |
+| **secubox_analytics.py** | Threat detection addon for mitmproxy |
+| **haproxy_router.py** | HAProxy backend routing addon |
+| **CrowdSec Integration** | Threat logging for automatic IP banning |
+
+## Threat Detection Patterns
+
+### Attack Types Detected
+
+| Category | Patterns |
+|----------|----------|
+| **SQL Injection** | UNION SELECT, OR 1=1, SLEEP(), BENCHMARK() |
+| **XSS** | `<script>`, event handlers, javascript: URLs |
+| **Command Injection** | ; cat, \| ls, backticks, $() |
+| **Path Traversal** | ../, %2e%2e/, file:// |
+| **SSRF** | Internal IPs, metadata endpoints |
+| **XXE** | <!ENTITY, SYSTEM, file:// |
+| **LDAP Injection** | )(|, )(&, objectclass=* |
+| **Log4Shell** | ${jndi:, ${env:, ldap:// |
+| **SSTI** | {{...}}, ${...}, <%...%> |
+| **Prototype Pollution** | __proto__, constructor[ |
+| **GraphQL Abuse** | Deep nesting, introspection |
+| **JWT Attacks** | alg:none, exposed tokens |
+
+### CVE Detection
+
+| CVE | Description |
+|-----|-------------|
+| CVE-2021-44228 | Log4Shell (Log4j RCE) |
+| CVE-2021-41773 | Apache path traversal |
+| CVE-2022-22965 | Spring4Shell |
+| CVE-2023-34362 | MOVEit SQL injection |
+| CVE-2024-3400 | PAN-OS command injection |
+| CVE-2024-21887 | Ivanti Connect Secure |
+| CVE-2024-1709 | ScreenConnect auth bypass |
+| CVE-2024-27198 | TeamCity auth bypass |
+
+### Scanner Detection
+
+Detects security scanners: sqlmap, nikto, nuclei, burpsuite, nmap, dirb, gobuster, ffuf, etc.
+
+## CrowdSec Integration
+
+Threats are logged to `/data/threats.log` (mounted as `/srv/mitmproxy/threats.log` on host).
+
+CrowdSec scenarios:
+- `secubox/mitmproxy-attack` - Bans after 3 high/critical attacks
+- `secubox/mitmproxy-scanner` - Bans aggressive scanners
+- `secubox/mitmproxy-ssrf` - Bans external SSRF attempts
+- `secubox/mitmproxy-cve` - Immediate ban for CVE exploits
+
+## GeoIP
+
+Install GeoLite2-Country.mmdb to `/srv/mitmproxy/` for country detection:
+```bash
+curl -sL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
+  -o /srv/mitmproxy/GeoLite2-Country.mmdb
+```
+
+## File Paths
+
+| Path | Description |
+|------|-------------|
+| `/srv/mitmproxy/` | Host bind mount directory |
+| `/srv/mitmproxy/threats.log` | CrowdSec threat log |
+| `/srv/mitmproxy/addons/` | mitmproxy addon scripts |
+| `/srv/mitmproxy/GeoLite2-Country.mmdb` | GeoIP database |
+
+## Dependencies
+
+- `lxc` - Container runtime
+- `crowdsec` - Threat intelligence (optional)
+- `geoip2` - Python GeoIP library (optional)
--- a/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py
+++ b/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py
@ -202,6 +202,35 @@ SUSPICIOUS_HEADERS = {
    'forwarded': [r'for=.+;.+;.+'],  # Multiple forwards
 }

+# Template Injection (SSTI) patterns
+SSTI_PATTERNS = [
+    r'\{\{.*\}\}',  # Jinja2/Twig
+    r'\$\{.*\}',    # FreeMarker/Velocity
+    r'<%.*%>',      # ERB/JSP
+    r'#\{.*\}',     # Thymeleaf
+    r'\[\[.*\]\]',  # Smarty
+]
+
+# Prototype Pollution patterns
+PROTO_POLLUTION_PATTERNS = [
+    r'__proto__', r'constructor\[', r'prototype\[',
+    r'\["__proto__"\]', r'\["constructor"\]', r'\["prototype"\]',
+]
+
+# GraphQL abuse patterns
+GRAPHQL_ABUSE_PATTERNS = [
+    r'__schema', r'__type', r'introspectionQuery',
+    r'query\s*\{.*\{.*\{.*\{.*\{',  # Deep nesting
+    r'fragment.*on.*\{.*fragment',  # Recursive fragments
+]
+
+# JWT/Token patterns
+JWT_PATTERNS = [
+    r'eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*',  # JWT format
+    r'alg.*none',  # Algorithm none attack
+    r'"alg"\s*:\s*"none"',
+]
+
 # Known vulnerability paths (CVE-specific)
 CVE_PATTERNS = {
    # CVE-2021-44228 (Log4Shell)
@ -216,6 +245,12 @@ CVE_PATTERNS = {
    'moveit': [r'machine2\.aspx.*\?', r'/guestaccess\.aspx'],
    # CVE-2024-3400 (PAN-OS)
    'panos': [r'/global-protect/.*\.css\?'],
+    # CVE-2024-21887 (Ivanti Connect Secure)
+    'ivanti': [r'/api/v1/totp/user-backup-code', r'/api/v1/license/keys-status'],
+    # CVE-2024-1709 (ScreenConnect)
+    'screenconnect': [r'/SetupWizard\.aspx'],
+    # CVE-2024-27198 (TeamCity)
+    'teamcity': [r'/app/rest/users/id:', r'/app/rest/server'],
 }

 class SecuBoxAnalytics:
@ -399,6 +434,41 @@ class SecuBoxAnalytics:
                        'cve': cve_name
                    }

+        # Check Template Injection (SSTI)
+        for pattern in SSTI_PATTERNS:
+            if re.search(pattern, combined, re.IGNORECASE):
+                return {
+                    'is_scan': True, 'pattern': 'ssti', 'type': 'injection',
+                    'severity': 'critical', 'category': 'template_injection'
+                }
+
+        # Check Prototype Pollution
+        for pattern in PROTO_POLLUTION_PATTERNS:
+            if re.search(pattern, combined, re.IGNORECASE):
+                return {
+                    'is_scan': True, 'pattern': 'prototype_pollution', 'type': 'injection',
+                    'severity': 'high', 'category': 'javascript_attack'
+                }
+
+        # Check GraphQL abuse (only on graphql endpoints)
+        if 'graphql' in path or 'graphql' in content_type:
+            for pattern in GRAPHQL_ABUSE_PATTERNS:
+                if re.search(pattern, combined, re.IGNORECASE):
+                    return {
+                        'is_scan': True, 'pattern': 'graphql_abuse', 'type': 'api_abuse',
+                        'severity': 'medium', 'category': 'graphql'
+                    }
+
+        # Check JWT attacks (alg:none, token in URL)
+        for pattern in JWT_PATTERNS:
+            if re.search(pattern, combined, re.IGNORECASE):
+                # alg:none is critical, exposed token is medium
+                severity = 'critical' if 'none' in combined.lower() else 'medium'
+                return {
+                    'is_scan': True, 'pattern': 'jwt_attack', 'type': 'auth_bypass',
+                    'severity': severity, 'category': 'authentication'
+                }
+
        return {'is_scan': False, 'pattern': None, 'type': None, 'severity': None, 'category': None}

    def _detect_suspicious_headers(self, request: http.Request) -> list: