feat(dpi-dual): Add WAF auto-ban tuning system
- UCI config: Add scoring section with event weights, sensitivity presets, whitelist, and decay options - dpi-correlator: Load scoring weights from UCI, apply sensitivity multipliers, check whitelist before auto-ban, periodic reputation decay - CLI: New 'tune', 'whitelist', 'decay' commands for runtime configuration - RPCD: 6 new methods - get_tuning, set_tuning, whitelist_add/remove/list, reset_reputation - ACL: Added permissions for new tuning methods Sensitivity presets: - low (0.7x) - fewer false positives - medium (1.0x) - balanced (default) - high (1.3x) - aggressive detection Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
parent
c80b10f18d
commit
ccccd3d93b
@ -5259,3 +5259,14 @@ git checkout HEAD -- index.html
|
||||
- RTTY Remote Dashboard: "Deploy ttyd to All" button and per-node ttyd button in actions column
|
||||
- Modal dialogs for confirmation, progress, and result display
|
||||
- Full mesh provisioning workflow now accessible via web UI
|
||||
|
||||
- **WAF Auto-Ban Tuning System (Complete)**
|
||||
- Configurable scoring weights via UCI `scoring` section
|
||||
- Sensitivity presets: low (0.7x), medium (1.0x), high (1.3x), custom
|
||||
- Whitelist support: IPs/CIDRs that skip auto-ban (`whitelist` section)
|
||||
- Configurable auto-ban duration and notification threshold
|
||||
- Reputation decay: Periodic score reduction for inactive IPs
|
||||
- CLI commands: `dpi-correlator tune`, `dpi-correlator whitelist`, `dpi-correlator decay`
|
||||
- 6 new RPCD methods: get_tuning, set_tuning, whitelist_add, whitelist_remove, whitelist_list, reset_reputation
|
||||
- UCi config updated with scoring weights, sensitivity, whitelist, decay options
|
||||
- Enables fine-tuning of auto-ban sensitivity for production traffic
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
# Work In Progress (Claude)
|
||||
|
||||
_Last updated: 2026-03-16 (DPI LAN Passive Analysis)_
|
||||
_Last updated: 2026-03-16 (WAF Auto-Ban Tuning)_
|
||||
|
||||
> **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches
|
||||
|
||||
@ -10,6 +10,15 @@ _Last updated: 2026-03-16 (DPI LAN Passive Analysis)_
|
||||
|
||||
### 2026-03-16
|
||||
|
||||
- **WAF Auto-Ban Tuning System (Complete)**
|
||||
- Configurable scoring weights via UCI `scoring` section
|
||||
- Sensitivity presets: low (0.7x), medium (1.0x), high (1.3x), custom
|
||||
- Whitelist support: IPs/CIDRs that skip auto-ban
|
||||
- Configurable auto-ban duration, notification threshold, reputation decay
|
||||
- CLI: `dpi-correlator tune [param] [value]`, `whitelist add/remove/list`, `decay [amount]`
|
||||
- 6 new RPCD methods for UI integration
|
||||
- Enables fine-tuning for production traffic with fewer false positives
|
||||
|
||||
- **LuCI Provisioning Dashboard (Complete)**
|
||||
- Config Vault dashboard: "Device Provisioning" card with 3 action buttons
|
||||
- "Provision Remote" - Modal dialog to push clone to remote node
|
||||
@ -661,11 +670,6 @@ _Last updated: 2026-03-16 (DPI LAN Passive Analysis)_
|
||||
|
||||
All core features complete. Optional polish tasks remain.
|
||||
|
||||
### v1.1+ Extended Mesh
|
||||
|
||||
1. **WAF Auto-Ban Tuning** (optional, as-needed)
|
||||
- Sensitivity threshold adjustment based on production traffic
|
||||
|
||||
### Backlog
|
||||
|
||||
- SSMTP / mail host / MX record management (v2)
|
||||
|
||||
@ -43,6 +43,12 @@ case "$1" in
|
||||
"correlate_ip": {"ip": "string"},
|
||||
"ban_ip": {"ip": "string", "duration": "string"},
|
||||
"set_auto_ban": {"enabled": true},
|
||||
"get_tuning": {},
|
||||
"set_tuning": {"param": "string", "value": "string"},
|
||||
"whitelist_add": {"ip": "string"},
|
||||
"whitelist_remove": {"ip": "string"},
|
||||
"whitelist_list": {},
|
||||
"reset_reputation": {"ip": "string"},
|
||||
"get_lan_status": {},
|
||||
"get_lan_clients": {},
|
||||
"get_lan_destinations": {"limit": 100},
|
||||
@ -388,6 +394,187 @@ EOF
|
||||
echo '{"success": true, "auto_ban": '$val'}'
|
||||
;;
|
||||
|
||||
get_tuning)
|
||||
config_load dpi-dual
|
||||
|
||||
# Load correlation settings
|
||||
sensitivity="" threshold="" duration="" notifications=""
|
||||
notif_threshold="" decay="" decay_interval=""
|
||||
config_get sensitivity correlation sensitivity "medium"
|
||||
config_get threshold correlation auto_ban_threshold "80"
|
||||
config_get duration correlation auto_ban_duration "4h"
|
||||
config_get notifications correlation notifications "1"
|
||||
config_get notif_threshold correlation notification_threshold "70"
|
||||
config_get decay correlation reputation_decay "5"
|
||||
config_get decay_interval correlation decay_interval "3600"
|
||||
|
||||
# Load scoring weights
|
||||
waf_block="" waf_alert="" cs_ban="" dpi_threat="" scanner="" brute_force="" default_score=""
|
||||
config_get waf_block scoring waf_block "25"
|
||||
config_get waf_alert scoring waf_alert "15"
|
||||
config_get cs_ban scoring crowdsec_ban "30"
|
||||
config_get dpi_threat scoring dpi_threat "20"
|
||||
config_get scanner scoring scanner "35"
|
||||
config_get brute_force scoring brute_force "40"
|
||||
config_get default_score scoring default "10"
|
||||
|
||||
# Calculate sensitivity multiplier
|
||||
case "$sensitivity" in
|
||||
low) mult=70 ;;
|
||||
medium) mult=100 ;;
|
||||
high) mult=130 ;;
|
||||
*) mult=100 ;;
|
||||
esac
|
||||
|
||||
cat << EOF
|
||||
{
|
||||
"sensitivity": "$sensitivity",
|
||||
"sensitivity_multiplier": $mult,
|
||||
"auto_ban_threshold": $threshold,
|
||||
"auto_ban_duration": "$duration",
|
||||
"notifications": $notifications,
|
||||
"notification_threshold": $notif_threshold,
|
||||
"reputation_decay": $decay,
|
||||
"decay_interval": $decay_interval,
|
||||
"scoring": {
|
||||
"waf_block": $waf_block,
|
||||
"waf_alert": $waf_alert,
|
||||
"crowdsec_ban": $cs_ban,
|
||||
"dpi_threat": $dpi_threat,
|
||||
"scanner": $scanner,
|
||||
"brute_force": $brute_force,
|
||||
"default": $default_score
|
||||
}
|
||||
}
|
||||
EOF
|
||||
;;
|
||||
|
||||
set_tuning)
|
||||
read "$3"
|
||||
json_load "$REPLY"
|
||||
json_get_var param param ""
|
||||
json_get_var value value ""
|
||||
|
||||
if [ -z "$param" ] || [ -z "$value" ]; then
|
||||
echo '{"success": false, "error": "param and value required"}'
|
||||
else
|
||||
case "$param" in
|
||||
sensitivity)
|
||||
case "$value" in
|
||||
low|medium|high|custom)
|
||||
uci set dpi-dual.correlation.sensitivity="$value"
|
||||
uci commit dpi-dual
|
||||
echo '{"success": true, "param": "sensitivity", "value": "'"$value"'"}'
|
||||
;;
|
||||
*)
|
||||
echo '{"success": false, "error": "Invalid sensitivity: use low, medium, high, or custom"}'
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
threshold)
|
||||
if [ "$value" -ge 0 ] && [ "$value" -le 100 ] 2>/dev/null; then
|
||||
uci set dpi-dual.correlation.auto_ban_threshold="$value"
|
||||
uci commit dpi-dual
|
||||
echo '{"success": true, "param": "threshold", "value": '$value'}'
|
||||
else
|
||||
echo '{"success": false, "error": "Threshold must be 0-100"}'
|
||||
fi
|
||||
;;
|
||||
duration)
|
||||
uci set dpi-dual.correlation.auto_ban_duration="$value"
|
||||
uci commit dpi-dual
|
||||
echo '{"success": true, "param": "duration", "value": "'"$value"'"}'
|
||||
;;
|
||||
decay)
|
||||
if [ "$value" -ge 0 ] && [ "$value" -le 50 ] 2>/dev/null; then
|
||||
uci set dpi-dual.correlation.reputation_decay="$value"
|
||||
uci commit dpi-dual
|
||||
echo '{"success": true, "param": "decay", "value": '$value'}'
|
||||
else
|
||||
echo '{"success": false, "error": "Decay must be 0-50"}'
|
||||
fi
|
||||
;;
|
||||
notification_threshold)
|
||||
if [ "$value" -ge 0 ] && [ "$value" -le 100 ] 2>/dev/null; then
|
||||
uci set dpi-dual.correlation.notification_threshold="$value"
|
||||
uci commit dpi-dual
|
||||
echo '{"success": true, "param": "notification_threshold", "value": '$value'}'
|
||||
else
|
||||
echo '{"success": false, "error": "Notification threshold must be 0-100"}'
|
||||
fi
|
||||
;;
|
||||
waf_block|waf_alert|crowdsec_ban|dpi_threat|scanner|brute_force|default)
|
||||
if [ "$value" -ge 0 ] && [ "$value" -le 100 ] 2>/dev/null; then
|
||||
uci set dpi-dual.scoring."$param"="$value"
|
||||
uci commit dpi-dual
|
||||
echo '{"success": true, "param": "'"$param"'", "value": '$value'}'
|
||||
else
|
||||
echo '{"success": false, "error": "Score weight must be 0-100"}'
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo '{"success": false, "error": "Unknown param: '"$param"'"}'
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
;;
|
||||
|
||||
whitelist_add)
|
||||
read "$3"
|
||||
json_load "$REPLY"
|
||||
json_get_var ip ip ""
|
||||
|
||||
if [ -z "$ip" ]; then
|
||||
echo '{"success": false, "error": "IP required"}'
|
||||
else
|
||||
uci add_list dpi-dual.whitelist.ip="$ip"
|
||||
uci commit dpi-dual
|
||||
echo '{"success": true, "message": "Added '"$ip"' to whitelist"}'
|
||||
fi
|
||||
;;
|
||||
|
||||
whitelist_remove)
|
||||
read "$3"
|
||||
json_load "$REPLY"
|
||||
json_get_var ip ip ""
|
||||
|
||||
if [ -z "$ip" ]; then
|
||||
echo '{"success": false, "error": "IP required"}'
|
||||
else
|
||||
uci del_list dpi-dual.whitelist.ip="$ip"
|
||||
uci commit dpi-dual
|
||||
echo '{"success": true, "message": "Removed '"$ip"' from whitelist"}'
|
||||
fi
|
||||
;;
|
||||
|
||||
whitelist_list)
|
||||
config_load dpi-dual
|
||||
|
||||
# Collect whitelist IPs
|
||||
wl_ips=""
|
||||
append_wl_ip() {
|
||||
[ -n "$wl_ips" ] && wl_ips="$wl_ips,"
|
||||
wl_ips="$wl_ips\"$1\""
|
||||
}
|
||||
config_list_foreach whitelist ip append_wl_ip
|
||||
|
||||
echo "{\"whitelist\": [$wl_ips]}"
|
||||
;;
|
||||
|
||||
reset_reputation)
|
||||
read "$3"
|
||||
json_load "$REPLY"
|
||||
json_get_var ip ip ""
|
||||
|
||||
if [ -z "$ip" ]; then
|
||||
echo '{"success": false, "error": "IP required"}'
|
||||
else
|
||||
. /usr/lib/dpi-dual/correlation-lib.sh
|
||||
reset_ip_reputation "$ip"
|
||||
echo '{"success": true, "message": "Reset reputation for '"$ip"'"}'
|
||||
fi
|
||||
;;
|
||||
|
||||
get_lan_status)
|
||||
# LAN passive flow analysis status
|
||||
config_load dpi-dual
|
||||
|
||||
@ -18,7 +18,9 @@
|
||||
"get_lan_status",
|
||||
"get_lan_clients",
|
||||
"get_lan_destinations",
|
||||
"get_lan_protocols"
|
||||
"get_lan_protocols",
|
||||
"get_tuning",
|
||||
"whitelist_list"
|
||||
]
|
||||
},
|
||||
"uci": ["dpi-dual"]
|
||||
@ -32,7 +34,11 @@
|
||||
"replay_request",
|
||||
"correlate_ip",
|
||||
"ban_ip",
|
||||
"set_auto_ban"
|
||||
"set_auto_ban",
|
||||
"set_tuning",
|
||||
"whitelist_add",
|
||||
"whitelist_remove",
|
||||
"reset_reputation"
|
||||
]
|
||||
},
|
||||
"uci": ["dpi-dual"]
|
||||
|
||||
@ -27,8 +27,36 @@ config correlation 'correlation'
|
||||
option watch_crowdsec '1'
|
||||
option auto_ban '0'
|
||||
option auto_ban_threshold '80'
|
||||
option auto_ban_duration '4h'
|
||||
option notifications '1'
|
||||
option notification_threshold '70'
|
||||
option reputation_decay '5'
|
||||
option decay_interval '3600'
|
||||
# Sensitivity preset: low, medium, high, custom
|
||||
option sensitivity 'medium'
|
||||
|
||||
# Event scoring weights (used when sensitivity=custom)
|
||||
config scoring 'scoring'
|
||||
option waf_block '25'
|
||||
option waf_alert '15'
|
||||
option crowdsec_ban '30'
|
||||
option dpi_threat '20'
|
||||
option scanner '35'
|
||||
option brute_force '40'
|
||||
option default '10'
|
||||
|
||||
# Sensitivity presets
|
||||
# low: fewer false positives, only clear threats trigger ban
|
||||
# medium: balanced detection (default)
|
||||
# high: aggressive, more false positives but catches more threats
|
||||
|
||||
# Whitelist - IPs that should never be auto-banned
|
||||
config whitelist 'whitelist'
|
||||
list ip '127.0.0.1'
|
||||
list ip '192.168.255.1'
|
||||
# Add trusted IPs here:
|
||||
# list ip '10.0.0.0/8'
|
||||
# list ip '192.168.0.0/16'
|
||||
|
||||
# LAN TAP - Real-time passive flow analysis
|
||||
# No MITM, no caching - just nDPI flow monitoring
|
||||
|
||||
@ -65,6 +65,68 @@ update_ip_reputation() {
|
||||
mv "$tmp_file" "$REPUTATION_DB"
|
||||
}
|
||||
|
||||
# Decay all IP reputations by a fixed amount
|
||||
# Called periodically to let old threats "heal"
|
||||
decay_all_reputations() {
|
||||
local decay_amount="${1:-5}"
|
||||
|
||||
init_reputation_db
|
||||
|
||||
[ ! -f "$REPUTATION_DB" ] && return 0
|
||||
|
||||
local tmp_file="/tmp/reputation_decay_$$.json"
|
||||
local now
|
||||
now=$(date -Iseconds)
|
||||
|
||||
# Process each IP in the reputation DB
|
||||
# Extract IPs and their scores, apply decay
|
||||
local ip score new_score
|
||||
|
||||
# Read current state
|
||||
cp "$REPUTATION_DB" "$tmp_file"
|
||||
|
||||
# Get all IPs from the JSON
|
||||
local ips
|
||||
ips=$(grep -oE '"[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"' "$REPUTATION_DB" | tr -d '"' | sort -u)
|
||||
|
||||
for ip in $ips; do
|
||||
score=$(jsonfilter -i "$REPUTATION_DB" -e "@[\"$ip\"].score" 2>/dev/null || echo 0)
|
||||
new_score=$((score - decay_amount))
|
||||
[ "$new_score" -lt 0 ] && new_score=0
|
||||
|
||||
if [ "$new_score" -eq 0 ]; then
|
||||
# Remove entries that have decayed to 0
|
||||
sed -i "s/\"$ip\":{[^}]*},\?//" "$tmp_file"
|
||||
else
|
||||
# Update score
|
||||
sed -i "s/\"$ip\":{\"score\":[0-9]*/\"$ip\":{\"score\":$new_score/" "$tmp_file"
|
||||
fi
|
||||
done
|
||||
|
||||
# Clean up JSON (remove trailing commas, empty entries)
|
||||
sed -i 's/,\s*}/}/g; s/{\s*,/{/g; s/,,/,/g' "$tmp_file"
|
||||
|
||||
mv "$tmp_file" "$REPUTATION_DB"
|
||||
}
|
||||
|
||||
# Reset reputation for a specific IP
|
||||
reset_ip_reputation() {
|
||||
local ip="$1"
|
||||
|
||||
init_reputation_db
|
||||
[ ! -f "$REPUTATION_DB" ] && return 0
|
||||
|
||||
local tmp_file="/tmp/reputation_reset_$$.json"
|
||||
cp "$REPUTATION_DB" "$tmp_file"
|
||||
|
||||
# Remove the IP entry
|
||||
sed -i "s/\"$ip\":{[^}]*},\?//" "$tmp_file"
|
||||
sed -i 's/,\s*}/}/g; s/{\s*,/{/g; s/,,/,/g' "$tmp_file"
|
||||
|
||||
mv "$tmp_file" "$REPUTATION_DB"
|
||||
echo "Reset reputation for $ip"
|
||||
}
|
||||
|
||||
# Get MITM context for IP (recent requests)
|
||||
get_mitm_context() {
|
||||
local ip="$1"
|
||||
|
||||
@ -12,14 +12,99 @@ WINDOW=""
|
||||
WATCH_CROWDSEC=""
|
||||
AUTO_BAN=""
|
||||
AUTO_BAN_THRESHOLD=""
|
||||
AUTO_BAN_DURATION=""
|
||||
NOTIFICATION_ENABLED=""
|
||||
NOTIFICATION_THRESHOLD=""
|
||||
SENSITIVITY=""
|
||||
DECAY_INTERVAL=""
|
||||
|
||||
# Scoring weights (loaded from UCI)
|
||||
SCORE_WAF_BLOCK=""
|
||||
SCORE_WAF_ALERT=""
|
||||
SCORE_CROWDSEC_BAN=""
|
||||
SCORE_DPI_THREAT=""
|
||||
SCORE_SCANNER=""
|
||||
SCORE_BRUTE_FORCE=""
|
||||
SCORE_DEFAULT=""
|
||||
|
||||
# Whitelist (loaded as space-separated IPs)
|
||||
WHITELIST_IPS=""
|
||||
|
||||
# Sensitivity multipliers
|
||||
get_sensitivity_multiplier() {
|
||||
case "$1" in
|
||||
low) echo "70" ;; # 0.7x - fewer false positives
|
||||
medium) echo "100" ;; # 1.0x - balanced (default)
|
||||
high) echo "130" ;; # 1.3x - aggressive detection
|
||||
custom) echo "100" ;; # 1.0x - use custom weights as-is
|
||||
*) echo "100" ;;
|
||||
esac
|
||||
}
|
||||
|
||||
load_config() {
|
||||
# Correlation settings
|
||||
config_get WINDOW correlation window "60"
|
||||
config_get WATCH_CROWDSEC correlation watch_crowdsec "1"
|
||||
config_get AUTO_BAN correlation auto_ban "0"
|
||||
config_get AUTO_BAN_THRESHOLD correlation auto_ban_threshold "80"
|
||||
config_get AUTO_BAN_DURATION correlation auto_ban_duration "4h"
|
||||
config_get NOTIFICATION_ENABLED correlation notifications "1"
|
||||
config_get NOTIFICATION_THRESHOLD correlation notification_threshold "70"
|
||||
config_get SENSITIVITY correlation sensitivity "medium"
|
||||
config_get DECAY_INTERVAL correlation decay_interval "3600"
|
||||
|
||||
# Load scoring weights from UCI
|
||||
config_get SCORE_WAF_BLOCK scoring waf_block "25"
|
||||
config_get SCORE_WAF_ALERT scoring waf_alert "15"
|
||||
config_get SCORE_CROWDSEC_BAN scoring crowdsec_ban "30"
|
||||
config_get SCORE_DPI_THREAT scoring dpi_threat "20"
|
||||
config_get SCORE_SCANNER scoring scanner "35"
|
||||
config_get SCORE_BRUTE_FORCE scoring brute_force "40"
|
||||
config_get SCORE_DEFAULT scoring default "10"
|
||||
|
||||
# Load whitelist IPs
|
||||
WHITELIST_IPS=""
|
||||
load_whitelist() {
|
||||
config_get ip "$1" ip ""
|
||||
[ -n "$ip" ] && WHITELIST_IPS="$WHITELIST_IPS $ip"
|
||||
}
|
||||
config_list_foreach whitelist ip append_whitelist_ip
|
||||
}
|
||||
|
||||
# Helper to load whitelist IPs
|
||||
append_whitelist_ip() {
|
||||
WHITELIST_IPS="$WHITELIST_IPS $1"
|
||||
}
|
||||
|
||||
# Check if IP is in whitelist
|
||||
is_whitelisted() {
|
||||
local check_ip="$1"
|
||||
local wl_ip
|
||||
|
||||
for wl_ip in $WHITELIST_IPS; do
|
||||
# Exact match
|
||||
[ "$check_ip" = "$wl_ip" ] && return 0
|
||||
|
||||
# CIDR match (simplified - check if IP starts with network prefix)
|
||||
case "$wl_ip" in
|
||||
*/*)
|
||||
local network="${wl_ip%/*}"
|
||||
case "$check_ip" in
|
||||
${network%.*}.*) return 0 ;;
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
return 1
|
||||
}
|
||||
|
||||
# Apply sensitivity multiplier to score
|
||||
apply_sensitivity() {
|
||||
local base_score="$1"
|
||||
local multiplier
|
||||
multiplier=$(get_sensitivity_multiplier "$SENSITIVITY")
|
||||
echo $((base_score * multiplier / 100))
|
||||
}
|
||||
|
||||
# Process a threat event from any source
|
||||
@ -33,16 +118,22 @@ process_threat_event() {
|
||||
|
||||
echo "[$(date '+%H:%M:%S')] Processing threat: $ip ($event_type: $reason, score: $threat_score)"
|
||||
|
||||
# Update IP reputation
|
||||
local delta=10
|
||||
# Get base delta from UCI scoring weights
|
||||
local base_delta
|
||||
case "$event_type" in
|
||||
waf_block) delta=25 ;;
|
||||
waf_alert) delta=15 ;;
|
||||
crowdsec_ban) delta=30 ;;
|
||||
dpi_threat) delta=20 ;;
|
||||
scanner) delta=35 ;;
|
||||
*) delta=10 ;;
|
||||
waf_block) base_delta="$SCORE_WAF_BLOCK" ;;
|
||||
waf_alert) base_delta="$SCORE_WAF_ALERT" ;;
|
||||
crowdsec_ban) base_delta="$SCORE_CROWDSEC_BAN" ;;
|
||||
dpi_threat) base_delta="$SCORE_DPI_THREAT" ;;
|
||||
scanner) base_delta="$SCORE_SCANNER" ;;
|
||||
brute_force) base_delta="$SCORE_BRUTE_FORCE" ;;
|
||||
*) base_delta="$SCORE_DEFAULT" ;;
|
||||
esac
|
||||
|
||||
# Apply sensitivity multiplier
|
||||
local delta
|
||||
delta=$(apply_sensitivity "$base_delta")
|
||||
|
||||
update_ip_reputation "$ip" "$event_type" "$delta"
|
||||
|
||||
# Build full correlation entry with context from all streams
|
||||
@ -52,19 +143,23 @@ process_threat_event() {
|
||||
# Save to correlation log
|
||||
save_correlation "$entry"
|
||||
|
||||
# Check for auto-ban
|
||||
# Check for auto-ban (skip if whitelisted)
|
||||
if [ "$AUTO_BAN" = "1" ]; then
|
||||
local reputation
|
||||
reputation=$(get_ip_reputation "$ip")
|
||||
if is_whitelisted "$ip"; then
|
||||
echo "[$(date '+%H:%M:%S')] IP $ip is whitelisted, skipping auto-ban"
|
||||
else
|
||||
local reputation
|
||||
reputation=$(get_ip_reputation "$ip")
|
||||
|
||||
if [ "$reputation" -ge "$AUTO_BAN_THRESHOLD" ]; then
|
||||
echo "[$(date '+%H:%M:%S')] Auto-banning $ip (reputation: $reputation)"
|
||||
notify_crowdsec "$ip" "dpi-dual-autoban" "4h"
|
||||
if [ "$reputation" -ge "$AUTO_BAN_THRESHOLD" ]; then
|
||||
echo "[$(date '+%H:%M:%S')] Auto-banning $ip (reputation: $reputation, duration: $AUTO_BAN_DURATION)"
|
||||
notify_crowdsec "$ip" "dpi-dual-autoban" "$AUTO_BAN_DURATION"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
# Send notification if enabled
|
||||
if [ "$NOTIFICATION_ENABLED" = "1" ] && [ "$threat_score" -ge 70 ]; then
|
||||
# Send notification if enabled and score meets threshold
|
||||
if [ "$NOTIFICATION_ENABLED" = "1" ] && [ "$threat_score" -ge "$NOTIFICATION_THRESHOLD" ]; then
|
||||
send_notification "$ip" "$event_type" "$reason" "$threat_score"
|
||||
fi
|
||||
}
|
||||
@ -223,21 +318,152 @@ run_correlator() {
|
||||
load_config
|
||||
init_reputation_db
|
||||
|
||||
local decay_amount
|
||||
config_get decay_amount correlation reputation_decay "5"
|
||||
|
||||
echo "DPI Correlator v2 started"
|
||||
echo " Correlation window: ${WINDOW}s"
|
||||
echo " Watch CrowdSec: $WATCH_CROWDSEC"
|
||||
echo " Auto-ban: $AUTO_BAN (threshold: $AUTO_BAN_THRESHOLD)"
|
||||
echo " Notifications: $NOTIFICATION_ENABLED"
|
||||
echo " Sensitivity: $SENSITIVITY"
|
||||
echo " Auto-ban: $AUTO_BAN (threshold: $AUTO_BAN_THRESHOLD, duration: $AUTO_BAN_DURATION)"
|
||||
echo " Notifications: $NOTIFICATION_ENABLED (threshold: $NOTIFICATION_THRESHOLD)"
|
||||
echo " Reputation decay: $decay_amount points every ${DECAY_INTERVAL}s"
|
||||
echo " Whitelist:$WHITELIST_IPS"
|
||||
|
||||
local last_decay_time=0
|
||||
|
||||
while true; do
|
||||
watch_waf_alerts
|
||||
watch_crowdsec_decisions
|
||||
watch_dpi_flows
|
||||
|
||||
# Run reputation decay periodically
|
||||
local now
|
||||
now=$(date +%s)
|
||||
if [ $((now - last_decay_time)) -ge "$DECAY_INTERVAL" ]; then
|
||||
decay_all_reputations "$decay_amount"
|
||||
last_decay_time="$now"
|
||||
fi
|
||||
|
||||
sleep 5
|
||||
done
|
||||
}
|
||||
|
||||
# Show current tuning configuration
|
||||
show_tuning() {
|
||||
load_config
|
||||
cat << EOF
|
||||
=== DPI Correlator Tuning ===
|
||||
|
||||
Sensitivity: $SENSITIVITY (multiplier: $(get_sensitivity_multiplier "$SENSITIVITY")%)
|
||||
|
||||
Scoring Weights:
|
||||
waf_block: $SCORE_WAF_BLOCK
|
||||
waf_alert: $SCORE_WAF_ALERT
|
||||
crowdsec_ban: $SCORE_CROWDSEC_BAN
|
||||
dpi_threat: $SCORE_DPI_THREAT
|
||||
scanner: $SCORE_SCANNER
|
||||
brute_force: $SCORE_BRUTE_FORCE
|
||||
default: $SCORE_DEFAULT
|
||||
|
||||
Auto-Ban:
|
||||
Enabled: $AUTO_BAN
|
||||
Threshold: $AUTO_BAN_THRESHOLD
|
||||
Duration: $AUTO_BAN_DURATION
|
||||
|
||||
Notifications:
|
||||
Enabled: $NOTIFICATION_ENABLED
|
||||
Threshold: $NOTIFICATION_THRESHOLD
|
||||
|
||||
Reputation Decay:
|
||||
Amount: $(uci -q get dpi-dual.correlation.reputation_decay || echo 5) points
|
||||
Interval: ${DECAY_INTERVAL}s
|
||||
|
||||
Whitelist:$WHITELIST_IPS
|
||||
EOF
|
||||
}
|
||||
|
||||
# Set tuning parameter
|
||||
set_tuning() {
|
||||
local param="$1"
|
||||
local value="$2"
|
||||
|
||||
case "$param" in
|
||||
sensitivity)
|
||||
case "$value" in
|
||||
low|medium|high|custom)
|
||||
uci set dpi-dual.correlation.sensitivity="$value"
|
||||
uci commit dpi-dual
|
||||
echo "Sensitivity set to: $value"
|
||||
;;
|
||||
*)
|
||||
echo "Error: Invalid sensitivity. Use: low, medium, high, custom"
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
threshold)
|
||||
if [ "$value" -ge 0 ] && [ "$value" -le 100 ] 2>/dev/null; then
|
||||
uci set dpi-dual.correlation.auto_ban_threshold="$value"
|
||||
uci commit dpi-dual
|
||||
echo "Auto-ban threshold set to: $value"
|
||||
else
|
||||
echo "Error: Threshold must be 0-100"
|
||||
return 1
|
||||
fi
|
||||
;;
|
||||
duration)
|
||||
uci set dpi-dual.correlation.auto_ban_duration="$value"
|
||||
uci commit dpi-dual
|
||||
echo "Auto-ban duration set to: $value"
|
||||
;;
|
||||
decay)
|
||||
if [ "$value" -ge 0 ] && [ "$value" -le 50 ] 2>/dev/null; then
|
||||
uci set dpi-dual.correlation.reputation_decay="$value"
|
||||
uci commit dpi-dual
|
||||
echo "Reputation decay set to: $value points"
|
||||
else
|
||||
echo "Error: Decay must be 0-50"
|
||||
return 1
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
echo "Unknown parameter: $param"
|
||||
echo "Valid parameters: sensitivity, threshold, duration, decay"
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# Whitelist management
|
||||
manage_whitelist() {
|
||||
local action="$1"
|
||||
local ip="$2"
|
||||
|
||||
case "$action" in
|
||||
add)
|
||||
[ -z "$ip" ] && { echo "Usage: $0 whitelist add <ip>"; return 1; }
|
||||
uci add_list dpi-dual.whitelist.ip="$ip"
|
||||
uci commit dpi-dual
|
||||
echo "Added $ip to whitelist"
|
||||
;;
|
||||
remove)
|
||||
[ -z "$ip" ] && { echo "Usage: $0 whitelist remove <ip>"; return 1; }
|
||||
uci del_list dpi-dual.whitelist.ip="$ip"
|
||||
uci commit dpi-dual
|
||||
echo "Removed $ip from whitelist"
|
||||
;;
|
||||
list)
|
||||
load_config
|
||||
echo "Whitelisted IPs:$WHITELIST_IPS"
|
||||
;;
|
||||
*)
|
||||
echo "Usage: $0 whitelist <add|remove|list> [ip]"
|
||||
return 1
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
# CLI interface
|
||||
case "$1" in
|
||||
start)
|
||||
@ -276,6 +502,28 @@ case "$1" in
|
||||
get_correlation_stats
|
||||
;;
|
||||
|
||||
tune)
|
||||
# Tuning commands: dpi-correlator tune [param] [value]
|
||||
if [ -z "$2" ]; then
|
||||
show_tuning
|
||||
else
|
||||
set_tuning "$2" "$3"
|
||||
fi
|
||||
;;
|
||||
|
||||
whitelist)
|
||||
# Whitelist management: dpi-correlator whitelist <add|remove|list> [ip]
|
||||
manage_whitelist "$2" "$3"
|
||||
;;
|
||||
|
||||
decay)
|
||||
# Manual decay trigger: dpi-correlator decay [amount]
|
||||
init_reputation_db
|
||||
local amount="${2:-5}"
|
||||
decay_all_reputations "$amount"
|
||||
echo "Decayed all reputations by $amount points"
|
||||
;;
|
||||
|
||||
status)
|
||||
load_config
|
||||
echo "=== Correlator Status ==="
|
||||
@ -285,6 +533,9 @@ case "$1" in
|
||||
echo "Status: STOPPED"
|
||||
fi
|
||||
echo ""
|
||||
echo "Sensitivity: $SENSITIVITY"
|
||||
echo "Auto-ban: $AUTO_BAN (threshold: $AUTO_BAN_THRESHOLD)"
|
||||
echo ""
|
||||
get_correlation_stats
|
||||
;;
|
||||
|
||||
@ -302,8 +553,17 @@ Commands:
|
||||
search [ip] [limit] Search correlation log
|
||||
stats Show correlation statistics
|
||||
status Show correlator status
|
||||
tune [param] [value] Show/set tuning parameters
|
||||
whitelist <action> [ip] Manage IP whitelist
|
||||
decay [amount] Manually trigger reputation decay
|
||||
|
||||
Configuration: /etc/config/dpi-dual (correlation section)
|
||||
Tuning parameters:
|
||||
sensitivity <low|medium|high|custom>
|
||||
threshold <0-100> Auto-ban reputation threshold
|
||||
duration <time> Auto-ban duration (e.g., 4h, 1d)
|
||||
decay <0-50> Points to decay per interval
|
||||
|
||||
Configuration: /etc/config/dpi-dual
|
||||
EOF
|
||||
exit 1
|
||||
;;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user