feat(mitmproxy): Add enhanced threat patterns and README

Add modern attack detection patterns: - SSTI (Jinja2, Twig, FreeMarker, ERB, Thymeleaf) - Prototype Pollution (__proto__, constructor[]) - GraphQL abuse (introspection, deep nesting) - JWT attacks (alg:none bypass, exposed tokens) - CVE-2024-21887 (Ivanti Connect Secure) - CVE-2024-1709 (ScreenConnect auth bypass) - CVE-2024-27198 (TeamCity auth bypass) Add comprehensive README documenting: - Threat detection patterns and categories - CrowdSec integration and scenarios - GeoIP database setup - File paths and dependencies Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 05:45:25 +01:00 · 2026-02-01 05:45:25 +01:00 · 29f55ec6bc
commit 29f55ec6bc
parent 37d7b066ed
2 changed files with 151 additions and 0 deletions
--- a/package/secubox/secubox-app-mitmproxy/README.md
+++ b/package/secubox/secubox-app-mitmproxy/README.md
@ -0,0 +1,81 @@
 # SecuBox mitmproxy App
 LXC container with mitmproxy for HTTPS traffic inspection and threat detection.
 ## Components
 | Component | Description |
 |-----------|-------------|
 | **LXC Container** | Debian-based container with mitmproxy |
 | **secubox_analytics.py** | Threat detection addon for mitmproxy |
 | **haproxy_router.py** | HAProxy backend routing addon |
 | **CrowdSec Integration** | Threat logging for automatic IP banning |
 ## Threat Detection Patterns
 ### Attack Types Detected
 | Category | Patterns |
 |----------|----------|
 | **SQL Injection** | UNION SELECT, OR 1=1, SLEEP(), BENCHMARK() |
 | **XSS** | `<script>`, event handlers, javascript: URLs |
 | **Command Injection** | ; cat, \| ls, backticks, $() |
 | **Path Traversal** | ../, %2e%2e/, file:// |
 | **SSRF** | Internal IPs, metadata endpoints |
 | **XXE** | <!ENTITY, SYSTEM, file:// |
 | **LDAP Injection** | )(|, )(&, objectclass=* |
 | **Log4Shell** | ${jndi:, ${env:, ldap:// |
 | **SSTI** | {{...}}, ${...}, <%...%> |
 | **Prototype Pollution** | __proto__, constructor[ |
 | **GraphQL Abuse** | Deep nesting, introspection |
 | **JWT Attacks** | alg:none, exposed tokens |
 ### CVE Detection
 | CVE | Description |
 |-----|-------------|
 | CVE-2021-44228 | Log4Shell (Log4j RCE) |
 | CVE-2021-41773 | Apache path traversal |
 | CVE-2022-22965 | Spring4Shell |
 | CVE-2023-34362 | MOVEit SQL injection |
 | CVE-2024-3400 | PAN-OS command injection |
 | CVE-2024-21887 | Ivanti Connect Secure |
 | CVE-2024-1709 | ScreenConnect auth bypass |
 | CVE-2024-27198 | TeamCity auth bypass |
 ### Scanner Detection
 Detects security scanners: sqlmap, nikto, nuclei, burpsuite, nmap, dirb, gobuster, ffuf, etc.
 ## CrowdSec Integration
 Threats are logged to `/data/threats.log` (mounted as `/srv/mitmproxy/threats.log` on host).
 CrowdSec scenarios:
 - `secubox/mitmproxy-attack` - Bans after 3 high/critical attacks
 - `secubox/mitmproxy-scanner` - Bans aggressive scanners
 - `secubox/mitmproxy-ssrf` - Bans external SSRF attempts
 - `secubox/mitmproxy-cve` - Immediate ban for CVE exploits
 ## GeoIP
 Install GeoLite2-Country.mmdb to `/srv/mitmproxy/` for country detection:
 ```bash
 curl -sL "https://github.com/P3TERX/GeoLite.mmdb/raw/download/GeoLite2-Country.mmdb" \
  -o /srv/mitmproxy/GeoLite2-Country.mmdb
 ```
 ## File Paths
 | Path | Description |
 |------|-------------|
 | `/srv/mitmproxy/` | Host bind mount directory |
 | `/srv/mitmproxy/threats.log` | CrowdSec threat log |
 | `/srv/mitmproxy/addons/` | mitmproxy addon scripts |
 | `/srv/mitmproxy/GeoLite2-Country.mmdb` | GeoIP database |
 ## Dependencies
 - `lxc` - Container runtime
 - `crowdsec` - Threat intelligence (optional)
 - `geoip2` - Python GeoIP library (optional)
--- a/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py
+++ b/package/secubox/secubox-app-mitmproxy/root/srv/mitmproxy/addons/secubox_analytics.py
@ -202,6 +202,35 @@ SUSPICIOUS_HEADERS = {
    'forwarded': [r'for=.+;.+;.+'],  # Multiple forwards
 }
 # Template Injection (SSTI) patterns
 SSTI_PATTERNS = [
    r'\{\{.*\}\}',  # Jinja2/Twig
    r'\$\{.*\}',    # FreeMarker/Velocity
    r'<%.*%>',      # ERB/JSP
    r'#\{.*\}',     # Thymeleaf
    r'\[\[.*\]\]',  # Smarty
 ]
 # Prototype Pollution patterns
 PROTO_POLLUTION_PATTERNS = [
    r'__proto__', r'constructor\[', r'prototype\[',
    r'\["__proto__"\]', r'\["constructor"\]', r'\["prototype"\]',
 ]
 # GraphQL abuse patterns
 GRAPHQL_ABUSE_PATTERNS = [
    r'__schema', r'__type', r'introspectionQuery',
    r'query\s*\{.*\{.*\{.*\{.*\{',  # Deep nesting
    r'fragment.*on.*\{.*fragment',  # Recursive fragments
 ]
 # JWT/Token patterns
 JWT_PATTERNS = [
    r'eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]*',  # JWT format
    r'alg.*none',  # Algorithm none attack
    r'"alg"\s*:\s*"none"',
 ]
 # Known vulnerability paths (CVE-specific)
 CVE_PATTERNS = {
    # CVE-2021-44228 (Log4Shell)
@ -216,6 +245,12 @@ CVE_PATTERNS = {
    'moveit': [r'machine2\.aspx.*\?', r'/guestaccess\.aspx'],
    # CVE-2024-3400 (PAN-OS)
    'panos': [r'/global-protect/.*\.css\?'],
    # CVE-2024-21887 (Ivanti Connect Secure)
    'ivanti': [r'/api/v1/totp/user-backup-code', r'/api/v1/license/keys-status'],
    # CVE-2024-1709 (ScreenConnect)
    'screenconnect': [r'/SetupWizard\.aspx'],
    # CVE-2024-27198 (TeamCity)
    'teamcity': [r'/app/rest/users/id:', r'/app/rest/server'],
 }
 class SecuBoxAnalytics:
@ -399,6 +434,41 @@ class SecuBoxAnalytics:
                        'cve': cve_name
                    }
        # Check Template Injection (SSTI)
        for pattern in SSTI_PATTERNS:
            if re.search(pattern, combined, re.IGNORECASE):
                return {
                    'is_scan': True, 'pattern': 'ssti', 'type': 'injection',
                    'severity': 'critical', 'category': 'template_injection'
                }
        # Check Prototype Pollution
        for pattern in PROTO_POLLUTION_PATTERNS:
            if re.search(pattern, combined, re.IGNORECASE):
                return {
                    'is_scan': True, 'pattern': 'prototype_pollution', 'type': 'injection',
                    'severity': 'high', 'category': 'javascript_attack'
                }
        # Check GraphQL abuse (only on graphql endpoints)
        if 'graphql' in path or 'graphql' in content_type:
            for pattern in GRAPHQL_ABUSE_PATTERNS:
                if re.search(pattern, combined, re.IGNORECASE):
                    return {
                        'is_scan': True, 'pattern': 'graphql_abuse', 'type': 'api_abuse',
                        'severity': 'medium', 'category': 'graphql'
                    }
        # Check JWT attacks (alg:none, token in URL)
        for pattern in JWT_PATTERNS:
            if re.search(pattern, combined, re.IGNORECASE):
                # alg:none is critical, exposed token is medium
                severity = 'critical' if 'none' in combined.lower() else 'medium'
                return {
                    'is_scan': True, 'pattern': 'jwt_attack', 'type': 'auth_bypass',
                    'severity': severity, 'category': 'authentication'
                }
        return {'is_scan': False, 'pattern': None, 'type': None, 'severity': None, 'category': None}
    def _detect_suspicious_headers(self, request: http.Request) -> list: