From ccccd3d93b292f47519c5a5eaae66ae69aa85ad8 Mon Sep 17 00:00:00 2001 From: CyberMind-FR Date: Sun, 15 Mar 2026 15:37:55 +0100 Subject: [PATCH] feat(dpi-dual): Add WAF auto-ban tuning system - UCI config: Add scoring section with event weights, sensitivity presets, whitelist, and decay options - dpi-correlator: Load scoring weights from UCI, apply sensitivity multipliers, check whitelist before auto-ban, periodic reputation decay - CLI: New 'tune', 'whitelist', 'decay' commands for runtime configuration - RPCD: 6 new methods - get_tuning, set_tuning, whitelist_add/remove/list, reset_reputation - ACL: Added permissions for new tuning methods Sensitivity presets: - low (0.7x) - fewer false positives - medium (1.0x) - balanced (default) - high (1.3x) - aggressive detection Co-Authored-By: Claude Opus 4.5 --- .claude/HISTORY.md | 11 + .claude/WIP.md | 16 +- .../root/usr/libexec/rpcd/luci.dpi-dual | 187 +++++++++++ .../share/rpcd/acl.d/luci-app-dpi-dual.json | 10 +- .../files/etc/config/dpi-dual | 28 ++ .../files/usr/lib/dpi-dual/correlation-lib.sh | 62 ++++ .../files/usr/sbin/dpi-correlator | 298 ++++++++++++++++-- 7 files changed, 585 insertions(+), 27 deletions(-) diff --git a/.claude/HISTORY.md b/.claude/HISTORY.md index 2931e61d..44ba8ec2 100644 --- a/.claude/HISTORY.md +++ b/.claude/HISTORY.md @@ -5259,3 +5259,14 @@ git checkout HEAD -- index.html - RTTY Remote Dashboard: "Deploy ttyd to All" button and per-node ttyd button in actions column - Modal dialogs for confirmation, progress, and result display - Full mesh provisioning workflow now accessible via web UI + +- **WAF Auto-Ban Tuning System (Complete)** + - Configurable scoring weights via UCI `scoring` section + - Sensitivity presets: low (0.7x), medium (1.0x), high (1.3x), custom + - Whitelist support: IPs/CIDRs that skip auto-ban (`whitelist` section) + - Configurable auto-ban duration and notification threshold + - Reputation decay: Periodic score reduction for inactive IPs + - CLI commands: `dpi-correlator tune`, `dpi-correlator whitelist`, `dpi-correlator decay` + - 6 new RPCD methods: get_tuning, set_tuning, whitelist_add, whitelist_remove, whitelist_list, reset_reputation + - UCi config updated with scoring weights, sensitivity, whitelist, decay options + - Enables fine-tuning of auto-ban sensitivity for production traffic diff --git a/.claude/WIP.md b/.claude/WIP.md index 40369e66..113df621 100644 --- a/.claude/WIP.md +++ b/.claude/WIP.md @@ -1,6 +1,6 @@ # Work In Progress (Claude) -_Last updated: 2026-03-16 (DPI LAN Passive Analysis)_ +_Last updated: 2026-03-16 (WAF Auto-Ban Tuning)_ > **Architecture Reference**: SecuBox Fanzine v3 — Les 4 Couches @@ -10,6 +10,15 @@ _Last updated: 2026-03-16 (DPI LAN Passive Analysis)_ ### 2026-03-16 +- **WAF Auto-Ban Tuning System (Complete)** + - Configurable scoring weights via UCI `scoring` section + - Sensitivity presets: low (0.7x), medium (1.0x), high (1.3x), custom + - Whitelist support: IPs/CIDRs that skip auto-ban + - Configurable auto-ban duration, notification threshold, reputation decay + - CLI: `dpi-correlator tune [param] [value]`, `whitelist add/remove/list`, `decay [amount]` + - 6 new RPCD methods for UI integration + - Enables fine-tuning for production traffic with fewer false positives + - **LuCI Provisioning Dashboard (Complete)** - Config Vault dashboard: "Device Provisioning" card with 3 action buttons - "Provision Remote" - Modal dialog to push clone to remote node @@ -661,11 +670,6 @@ _Last updated: 2026-03-16 (DPI LAN Passive Analysis)_ All core features complete. Optional polish tasks remain. -### v1.1+ Extended Mesh - -1. **WAF Auto-Ban Tuning** (optional, as-needed) - - Sensitivity threshold adjustment based on production traffic - ### Backlog - SSMTP / mail host / MX record management (v2) diff --git a/package/secubox/luci-app-dpi-dual/root/usr/libexec/rpcd/luci.dpi-dual b/package/secubox/luci-app-dpi-dual/root/usr/libexec/rpcd/luci.dpi-dual index a512abe7..198bb656 100644 --- a/package/secubox/luci-app-dpi-dual/root/usr/libexec/rpcd/luci.dpi-dual +++ b/package/secubox/luci-app-dpi-dual/root/usr/libexec/rpcd/luci.dpi-dual @@ -43,6 +43,12 @@ case "$1" in "correlate_ip": {"ip": "string"}, "ban_ip": {"ip": "string", "duration": "string"}, "set_auto_ban": {"enabled": true}, + "get_tuning": {}, + "set_tuning": {"param": "string", "value": "string"}, + "whitelist_add": {"ip": "string"}, + "whitelist_remove": {"ip": "string"}, + "whitelist_list": {}, + "reset_reputation": {"ip": "string"}, "get_lan_status": {}, "get_lan_clients": {}, "get_lan_destinations": {"limit": 100}, @@ -388,6 +394,187 @@ EOF echo '{"success": true, "auto_ban": '$val'}' ;; + get_tuning) + config_load dpi-dual + + # Load correlation settings + sensitivity="" threshold="" duration="" notifications="" + notif_threshold="" decay="" decay_interval="" + config_get sensitivity correlation sensitivity "medium" + config_get threshold correlation auto_ban_threshold "80" + config_get duration correlation auto_ban_duration "4h" + config_get notifications correlation notifications "1" + config_get notif_threshold correlation notification_threshold "70" + config_get decay correlation reputation_decay "5" + config_get decay_interval correlation decay_interval "3600" + + # Load scoring weights + waf_block="" waf_alert="" cs_ban="" dpi_threat="" scanner="" brute_force="" default_score="" + config_get waf_block scoring waf_block "25" + config_get waf_alert scoring waf_alert "15" + config_get cs_ban scoring crowdsec_ban "30" + config_get dpi_threat scoring dpi_threat "20" + config_get scanner scoring scanner "35" + config_get brute_force scoring brute_force "40" + config_get default_score scoring default "10" + + # Calculate sensitivity multiplier + case "$sensitivity" in + low) mult=70 ;; + medium) mult=100 ;; + high) mult=130 ;; + *) mult=100 ;; + esac + + cat << EOF +{ + "sensitivity": "$sensitivity", + "sensitivity_multiplier": $mult, + "auto_ban_threshold": $threshold, + "auto_ban_duration": "$duration", + "notifications": $notifications, + "notification_threshold": $notif_threshold, + "reputation_decay": $decay, + "decay_interval": $decay_interval, + "scoring": { + "waf_block": $waf_block, + "waf_alert": $waf_alert, + "crowdsec_ban": $cs_ban, + "dpi_threat": $dpi_threat, + "scanner": $scanner, + "brute_force": $brute_force, + "default": $default_score + } +} +EOF + ;; + + set_tuning) + read "$3" + json_load "$REPLY" + json_get_var param param "" + json_get_var value value "" + + if [ -z "$param" ] || [ -z "$value" ]; then + echo '{"success": false, "error": "param and value required"}' + else + case "$param" in + sensitivity) + case "$value" in + low|medium|high|custom) + uci set dpi-dual.correlation.sensitivity="$value" + uci commit dpi-dual + echo '{"success": true, "param": "sensitivity", "value": "'"$value"'"}' + ;; + *) + echo '{"success": false, "error": "Invalid sensitivity: use low, medium, high, or custom"}' + ;; + esac + ;; + threshold) + if [ "$value" -ge 0 ] && [ "$value" -le 100 ] 2>/dev/null; then + uci set dpi-dual.correlation.auto_ban_threshold="$value" + uci commit dpi-dual + echo '{"success": true, "param": "threshold", "value": '$value'}' + else + echo '{"success": false, "error": "Threshold must be 0-100"}' + fi + ;; + duration) + uci set dpi-dual.correlation.auto_ban_duration="$value" + uci commit dpi-dual + echo '{"success": true, "param": "duration", "value": "'"$value"'"}' + ;; + decay) + if [ "$value" -ge 0 ] && [ "$value" -le 50 ] 2>/dev/null; then + uci set dpi-dual.correlation.reputation_decay="$value" + uci commit dpi-dual + echo '{"success": true, "param": "decay", "value": '$value'}' + else + echo '{"success": false, "error": "Decay must be 0-50"}' + fi + ;; + notification_threshold) + if [ "$value" -ge 0 ] && [ "$value" -le 100 ] 2>/dev/null; then + uci set dpi-dual.correlation.notification_threshold="$value" + uci commit dpi-dual + echo '{"success": true, "param": "notification_threshold", "value": '$value'}' + else + echo '{"success": false, "error": "Notification threshold must be 0-100"}' + fi + ;; + waf_block|waf_alert|crowdsec_ban|dpi_threat|scanner|brute_force|default) + if [ "$value" -ge 0 ] && [ "$value" -le 100 ] 2>/dev/null; then + uci set dpi-dual.scoring."$param"="$value" + uci commit dpi-dual + echo '{"success": true, "param": "'"$param"'", "value": '$value'}' + else + echo '{"success": false, "error": "Score weight must be 0-100"}' + fi + ;; + *) + echo '{"success": false, "error": "Unknown param: '"$param"'"}' + ;; + esac + fi + ;; + + whitelist_add) + read "$3" + json_load "$REPLY" + json_get_var ip ip "" + + if [ -z "$ip" ]; then + echo '{"success": false, "error": "IP required"}' + else + uci add_list dpi-dual.whitelist.ip="$ip" + uci commit dpi-dual + echo '{"success": true, "message": "Added '"$ip"' to whitelist"}' + fi + ;; + + whitelist_remove) + read "$3" + json_load "$REPLY" + json_get_var ip ip "" + + if [ -z "$ip" ]; then + echo '{"success": false, "error": "IP required"}' + else + uci del_list dpi-dual.whitelist.ip="$ip" + uci commit dpi-dual + echo '{"success": true, "message": "Removed '"$ip"' from whitelist"}' + fi + ;; + + whitelist_list) + config_load dpi-dual + + # Collect whitelist IPs + wl_ips="" + append_wl_ip() { + [ -n "$wl_ips" ] && wl_ips="$wl_ips," + wl_ips="$wl_ips\"$1\"" + } + config_list_foreach whitelist ip append_wl_ip + + echo "{\"whitelist\": [$wl_ips]}" + ;; + + reset_reputation) + read "$3" + json_load "$REPLY" + json_get_var ip ip "" + + if [ -z "$ip" ]; then + echo '{"success": false, "error": "IP required"}' + else + . /usr/lib/dpi-dual/correlation-lib.sh + reset_ip_reputation "$ip" + echo '{"success": true, "message": "Reset reputation for '"$ip"'"}' + fi + ;; + get_lan_status) # LAN passive flow analysis status config_load dpi-dual diff --git a/package/secubox/luci-app-dpi-dual/root/usr/share/rpcd/acl.d/luci-app-dpi-dual.json b/package/secubox/luci-app-dpi-dual/root/usr/share/rpcd/acl.d/luci-app-dpi-dual.json index 4cd17e7d..6427e0ff 100644 --- a/package/secubox/luci-app-dpi-dual/root/usr/share/rpcd/acl.d/luci-app-dpi-dual.json +++ b/package/secubox/luci-app-dpi-dual/root/usr/share/rpcd/acl.d/luci-app-dpi-dual.json @@ -18,7 +18,9 @@ "get_lan_status", "get_lan_clients", "get_lan_destinations", - "get_lan_protocols" + "get_lan_protocols", + "get_tuning", + "whitelist_list" ] }, "uci": ["dpi-dual"] @@ -32,7 +34,11 @@ "replay_request", "correlate_ip", "ban_ip", - "set_auto_ban" + "set_auto_ban", + "set_tuning", + "whitelist_add", + "whitelist_remove", + "reset_reputation" ] }, "uci": ["dpi-dual"] diff --git a/package/secubox/secubox-dpi-dual/files/etc/config/dpi-dual b/package/secubox/secubox-dpi-dual/files/etc/config/dpi-dual index 1f35ed16..77b229f4 100644 --- a/package/secubox/secubox-dpi-dual/files/etc/config/dpi-dual +++ b/package/secubox/secubox-dpi-dual/files/etc/config/dpi-dual @@ -27,8 +27,36 @@ config correlation 'correlation' option watch_crowdsec '1' option auto_ban '0' option auto_ban_threshold '80' + option auto_ban_duration '4h' option notifications '1' + option notification_threshold '70' option reputation_decay '5' + option decay_interval '3600' + # Sensitivity preset: low, medium, high, custom + option sensitivity 'medium' + +# Event scoring weights (used when sensitivity=custom) +config scoring 'scoring' + option waf_block '25' + option waf_alert '15' + option crowdsec_ban '30' + option dpi_threat '20' + option scanner '35' + option brute_force '40' + option default '10' + +# Sensitivity presets +# low: fewer false positives, only clear threats trigger ban +# medium: balanced detection (default) +# high: aggressive, more false positives but catches more threats + +# Whitelist - IPs that should never be auto-banned +config whitelist 'whitelist' + list ip '127.0.0.1' + list ip '192.168.255.1' + # Add trusted IPs here: + # list ip '10.0.0.0/8' + # list ip '192.168.0.0/16' # LAN TAP - Real-time passive flow analysis # No MITM, no caching - just nDPI flow monitoring diff --git a/package/secubox/secubox-dpi-dual/files/usr/lib/dpi-dual/correlation-lib.sh b/package/secubox/secubox-dpi-dual/files/usr/lib/dpi-dual/correlation-lib.sh index b79c91e4..70b0220d 100644 --- a/package/secubox/secubox-dpi-dual/files/usr/lib/dpi-dual/correlation-lib.sh +++ b/package/secubox/secubox-dpi-dual/files/usr/lib/dpi-dual/correlation-lib.sh @@ -65,6 +65,68 @@ update_ip_reputation() { mv "$tmp_file" "$REPUTATION_DB" } +# Decay all IP reputations by a fixed amount +# Called periodically to let old threats "heal" +decay_all_reputations() { + local decay_amount="${1:-5}" + + init_reputation_db + + [ ! -f "$REPUTATION_DB" ] && return 0 + + local tmp_file="/tmp/reputation_decay_$$.json" + local now + now=$(date -Iseconds) + + # Process each IP in the reputation DB + # Extract IPs and their scores, apply decay + local ip score new_score + + # Read current state + cp "$REPUTATION_DB" "$tmp_file" + + # Get all IPs from the JSON + local ips + ips=$(grep -oE '"[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"' "$REPUTATION_DB" | tr -d '"' | sort -u) + + for ip in $ips; do + score=$(jsonfilter -i "$REPUTATION_DB" -e "@[\"$ip\"].score" 2>/dev/null || echo 0) + new_score=$((score - decay_amount)) + [ "$new_score" -lt 0 ] && new_score=0 + + if [ "$new_score" -eq 0 ]; then + # Remove entries that have decayed to 0 + sed -i "s/\"$ip\":{[^}]*},\?//" "$tmp_file" + else + # Update score + sed -i "s/\"$ip\":{\"score\":[0-9]*/\"$ip\":{\"score\":$new_score/" "$tmp_file" + fi + done + + # Clean up JSON (remove trailing commas, empty entries) + sed -i 's/,\s*}/}/g; s/{\s*,/{/g; s/,,/,/g' "$tmp_file" + + mv "$tmp_file" "$REPUTATION_DB" +} + +# Reset reputation for a specific IP +reset_ip_reputation() { + local ip="$1" + + init_reputation_db + [ ! -f "$REPUTATION_DB" ] && return 0 + + local tmp_file="/tmp/reputation_reset_$$.json" + cp "$REPUTATION_DB" "$tmp_file" + + # Remove the IP entry + sed -i "s/\"$ip\":{[^}]*},\?//" "$tmp_file" + sed -i 's/,\s*}/}/g; s/{\s*,/{/g; s/,,/,/g' "$tmp_file" + + mv "$tmp_file" "$REPUTATION_DB" + echo "Reset reputation for $ip" +} + # Get MITM context for IP (recent requests) get_mitm_context() { local ip="$1" diff --git a/package/secubox/secubox-dpi-dual/files/usr/sbin/dpi-correlator b/package/secubox/secubox-dpi-dual/files/usr/sbin/dpi-correlator index 2c7c9589..e3b0525b 100644 --- a/package/secubox/secubox-dpi-dual/files/usr/sbin/dpi-correlator +++ b/package/secubox/secubox-dpi-dual/files/usr/sbin/dpi-correlator @@ -12,14 +12,99 @@ WINDOW="" WATCH_CROWDSEC="" AUTO_BAN="" AUTO_BAN_THRESHOLD="" +AUTO_BAN_DURATION="" NOTIFICATION_ENABLED="" +NOTIFICATION_THRESHOLD="" +SENSITIVITY="" +DECAY_INTERVAL="" + +# Scoring weights (loaded from UCI) +SCORE_WAF_BLOCK="" +SCORE_WAF_ALERT="" +SCORE_CROWDSEC_BAN="" +SCORE_DPI_THREAT="" +SCORE_SCANNER="" +SCORE_BRUTE_FORCE="" +SCORE_DEFAULT="" + +# Whitelist (loaded as space-separated IPs) +WHITELIST_IPS="" + +# Sensitivity multipliers +get_sensitivity_multiplier() { + case "$1" in + low) echo "70" ;; # 0.7x - fewer false positives + medium) echo "100" ;; # 1.0x - balanced (default) + high) echo "130" ;; # 1.3x - aggressive detection + custom) echo "100" ;; # 1.0x - use custom weights as-is + *) echo "100" ;; + esac +} load_config() { + # Correlation settings config_get WINDOW correlation window "60" config_get WATCH_CROWDSEC correlation watch_crowdsec "1" config_get AUTO_BAN correlation auto_ban "0" config_get AUTO_BAN_THRESHOLD correlation auto_ban_threshold "80" + config_get AUTO_BAN_DURATION correlation auto_ban_duration "4h" config_get NOTIFICATION_ENABLED correlation notifications "1" + config_get NOTIFICATION_THRESHOLD correlation notification_threshold "70" + config_get SENSITIVITY correlation sensitivity "medium" + config_get DECAY_INTERVAL correlation decay_interval "3600" + + # Load scoring weights from UCI + config_get SCORE_WAF_BLOCK scoring waf_block "25" + config_get SCORE_WAF_ALERT scoring waf_alert "15" + config_get SCORE_CROWDSEC_BAN scoring crowdsec_ban "30" + config_get SCORE_DPI_THREAT scoring dpi_threat "20" + config_get SCORE_SCANNER scoring scanner "35" + config_get SCORE_BRUTE_FORCE scoring brute_force "40" + config_get SCORE_DEFAULT scoring default "10" + + # Load whitelist IPs + WHITELIST_IPS="" + load_whitelist() { + config_get ip "$1" ip "" + [ -n "$ip" ] && WHITELIST_IPS="$WHITELIST_IPS $ip" + } + config_list_foreach whitelist ip append_whitelist_ip +} + +# Helper to load whitelist IPs +append_whitelist_ip() { + WHITELIST_IPS="$WHITELIST_IPS $1" +} + +# Check if IP is in whitelist +is_whitelisted() { + local check_ip="$1" + local wl_ip + + for wl_ip in $WHITELIST_IPS; do + # Exact match + [ "$check_ip" = "$wl_ip" ] && return 0 + + # CIDR match (simplified - check if IP starts with network prefix) + case "$wl_ip" in + */*) + local network="${wl_ip%/*}" + case "$check_ip" in + ${network%.*}.*) return 0 ;; + esac + ;; + esac + done + + return 1 +} + +# Apply sensitivity multiplier to score +apply_sensitivity() { + local base_score="$1" + local multiplier + multiplier=$(get_sensitivity_multiplier "$SENSITIVITY") + echo $((base_score * multiplier / 100)) } # Process a threat event from any source @@ -33,16 +118,22 @@ process_threat_event() { echo "[$(date '+%H:%M:%S')] Processing threat: $ip ($event_type: $reason, score: $threat_score)" - # Update IP reputation - local delta=10 + # Get base delta from UCI scoring weights + local base_delta case "$event_type" in - waf_block) delta=25 ;; - waf_alert) delta=15 ;; - crowdsec_ban) delta=30 ;; - dpi_threat) delta=20 ;; - scanner) delta=35 ;; - *) delta=10 ;; + waf_block) base_delta="$SCORE_WAF_BLOCK" ;; + waf_alert) base_delta="$SCORE_WAF_ALERT" ;; + crowdsec_ban) base_delta="$SCORE_CROWDSEC_BAN" ;; + dpi_threat) base_delta="$SCORE_DPI_THREAT" ;; + scanner) base_delta="$SCORE_SCANNER" ;; + brute_force) base_delta="$SCORE_BRUTE_FORCE" ;; + *) base_delta="$SCORE_DEFAULT" ;; esac + + # Apply sensitivity multiplier + local delta + delta=$(apply_sensitivity "$base_delta") + update_ip_reputation "$ip" "$event_type" "$delta" # Build full correlation entry with context from all streams @@ -52,19 +143,23 @@ process_threat_event() { # Save to correlation log save_correlation "$entry" - # Check for auto-ban + # Check for auto-ban (skip if whitelisted) if [ "$AUTO_BAN" = "1" ]; then - local reputation - reputation=$(get_ip_reputation "$ip") + if is_whitelisted "$ip"; then + echo "[$(date '+%H:%M:%S')] IP $ip is whitelisted, skipping auto-ban" + else + local reputation + reputation=$(get_ip_reputation "$ip") - if [ "$reputation" -ge "$AUTO_BAN_THRESHOLD" ]; then - echo "[$(date '+%H:%M:%S')] Auto-banning $ip (reputation: $reputation)" - notify_crowdsec "$ip" "dpi-dual-autoban" "4h" + if [ "$reputation" -ge "$AUTO_BAN_THRESHOLD" ]; then + echo "[$(date '+%H:%M:%S')] Auto-banning $ip (reputation: $reputation, duration: $AUTO_BAN_DURATION)" + notify_crowdsec "$ip" "dpi-dual-autoban" "$AUTO_BAN_DURATION" + fi fi fi - # Send notification if enabled - if [ "$NOTIFICATION_ENABLED" = "1" ] && [ "$threat_score" -ge 70 ]; then + # Send notification if enabled and score meets threshold + if [ "$NOTIFICATION_ENABLED" = "1" ] && [ "$threat_score" -ge "$NOTIFICATION_THRESHOLD" ]; then send_notification "$ip" "$event_type" "$reason" "$threat_score" fi } @@ -223,21 +318,152 @@ run_correlator() { load_config init_reputation_db + local decay_amount + config_get decay_amount correlation reputation_decay "5" + echo "DPI Correlator v2 started" echo " Correlation window: ${WINDOW}s" echo " Watch CrowdSec: $WATCH_CROWDSEC" - echo " Auto-ban: $AUTO_BAN (threshold: $AUTO_BAN_THRESHOLD)" - echo " Notifications: $NOTIFICATION_ENABLED" + echo " Sensitivity: $SENSITIVITY" + echo " Auto-ban: $AUTO_BAN (threshold: $AUTO_BAN_THRESHOLD, duration: $AUTO_BAN_DURATION)" + echo " Notifications: $NOTIFICATION_ENABLED (threshold: $NOTIFICATION_THRESHOLD)" + echo " Reputation decay: $decay_amount points every ${DECAY_INTERVAL}s" + echo " Whitelist:$WHITELIST_IPS" + + local last_decay_time=0 while true; do watch_waf_alerts watch_crowdsec_decisions watch_dpi_flows + # Run reputation decay periodically + local now + now=$(date +%s) + if [ $((now - last_decay_time)) -ge "$DECAY_INTERVAL" ]; then + decay_all_reputations "$decay_amount" + last_decay_time="$now" + fi + sleep 5 done } +# Show current tuning configuration +show_tuning() { + load_config + cat << EOF +=== DPI Correlator Tuning === + +Sensitivity: $SENSITIVITY (multiplier: $(get_sensitivity_multiplier "$SENSITIVITY")%) + +Scoring Weights: + waf_block: $SCORE_WAF_BLOCK + waf_alert: $SCORE_WAF_ALERT + crowdsec_ban: $SCORE_CROWDSEC_BAN + dpi_threat: $SCORE_DPI_THREAT + scanner: $SCORE_SCANNER + brute_force: $SCORE_BRUTE_FORCE + default: $SCORE_DEFAULT + +Auto-Ban: + Enabled: $AUTO_BAN + Threshold: $AUTO_BAN_THRESHOLD + Duration: $AUTO_BAN_DURATION + +Notifications: + Enabled: $NOTIFICATION_ENABLED + Threshold: $NOTIFICATION_THRESHOLD + +Reputation Decay: + Amount: $(uci -q get dpi-dual.correlation.reputation_decay || echo 5) points + Interval: ${DECAY_INTERVAL}s + +Whitelist:$WHITELIST_IPS +EOF +} + +# Set tuning parameter +set_tuning() { + local param="$1" + local value="$2" + + case "$param" in + sensitivity) + case "$value" in + low|medium|high|custom) + uci set dpi-dual.correlation.sensitivity="$value" + uci commit dpi-dual + echo "Sensitivity set to: $value" + ;; + *) + echo "Error: Invalid sensitivity. Use: low, medium, high, custom" + return 1 + ;; + esac + ;; + threshold) + if [ "$value" -ge 0 ] && [ "$value" -le 100 ] 2>/dev/null; then + uci set dpi-dual.correlation.auto_ban_threshold="$value" + uci commit dpi-dual + echo "Auto-ban threshold set to: $value" + else + echo "Error: Threshold must be 0-100" + return 1 + fi + ;; + duration) + uci set dpi-dual.correlation.auto_ban_duration="$value" + uci commit dpi-dual + echo "Auto-ban duration set to: $value" + ;; + decay) + if [ "$value" -ge 0 ] && [ "$value" -le 50 ] 2>/dev/null; then + uci set dpi-dual.correlation.reputation_decay="$value" + uci commit dpi-dual + echo "Reputation decay set to: $value points" + else + echo "Error: Decay must be 0-50" + return 1 + fi + ;; + *) + echo "Unknown parameter: $param" + echo "Valid parameters: sensitivity, threshold, duration, decay" + return 1 + ;; + esac +} + +# Whitelist management +manage_whitelist() { + local action="$1" + local ip="$2" + + case "$action" in + add) + [ -z "$ip" ] && { echo "Usage: $0 whitelist add "; return 1; } + uci add_list dpi-dual.whitelist.ip="$ip" + uci commit dpi-dual + echo "Added $ip to whitelist" + ;; + remove) + [ -z "$ip" ] && { echo "Usage: $0 whitelist remove "; return 1; } + uci del_list dpi-dual.whitelist.ip="$ip" + uci commit dpi-dual + echo "Removed $ip from whitelist" + ;; + list) + load_config + echo "Whitelisted IPs:$WHITELIST_IPS" + ;; + *) + echo "Usage: $0 whitelist [ip]" + return 1 + ;; + esac +} + # CLI interface case "$1" in start) @@ -276,6 +502,28 @@ case "$1" in get_correlation_stats ;; + tune) + # Tuning commands: dpi-correlator tune [param] [value] + if [ -z "$2" ]; then + show_tuning + else + set_tuning "$2" "$3" + fi + ;; + + whitelist) + # Whitelist management: dpi-correlator whitelist [ip] + manage_whitelist "$2" "$3" + ;; + + decay) + # Manual decay trigger: dpi-correlator decay [amount] + init_reputation_db + local amount="${2:-5}" + decay_all_reputations "$amount" + echo "Decayed all reputations by $amount points" + ;; + status) load_config echo "=== Correlator Status ===" @@ -285,6 +533,9 @@ case "$1" in echo "Status: STOPPED" fi echo "" + echo "Sensitivity: $SENSITIVITY" + echo "Auto-ban: $AUTO_BAN (threshold: $AUTO_BAN_THRESHOLD)" + echo "" get_correlation_stats ;; @@ -302,8 +553,17 @@ Commands: search [ip] [limit] Search correlation log stats Show correlation statistics status Show correlator status + tune [param] [value] Show/set tuning parameters + whitelist [ip] Manage IP whitelist + decay [amount] Manually trigger reputation decay -Configuration: /etc/config/dpi-dual (correlation section) +Tuning parameters: + sensitivity + threshold <0-100> Auto-ban reputation threshold + duration