secubox-openwrt

gandalf/secubox-openwrt

Fork 0

Commit Graph

Author	SHA1	Message	Date
CyberMind-FR	a469076297	feat(waf): Add CVE-2025-14528 router botnet detection Add new router_botnet WAF category for IoT/router exploitation: CVE-2025-14528 (D-Link DIR-803 getcfg.php): - AUTHORIZED_GROUP parameter manipulation - SERVICES=DEVICE.ACCOUNT enumeration - Newline injection bypass (%0a, %0d) Additional router exploit patterns: - D-Link hedwig.cgi, HNAP, service.cgi RCE - UPnP SOAP injection - Goform command injection - ASUS/TP-Link/Netgear/Zyxel exploits Mirai-variant botnet scanner detection: - User-Agent signatures (Mirai, Hajime, Mozi, BotenaGo, etc.) - Router payload injection patterns Sources: CrowdSec Threat Intel, Global Security Mag Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-24 11:04:05 +01:00
CyberMind-FR	64bfeccfdb	feat(mitmproxy): Add VoIP/XMPP WAF protection rules New WAF categories for VoIP and Jabber security: - voip: SIP header injection, ARI command injection, FreePBX RCE, AMI web access, multipart traversal, Digest auth attacks - xmpp: XSS in messages/presence, BOSH hijack, XXE via XInclude, WebSocket XSS, HTTP upload abuse, null byte in JID - cve_voip: Asterisk PJSIP crash (CVE-2021-26906), negative CL DoS, Via header overflow, Route header crash, SDP buffer overflow, CSeq method overflow, FreePBX/Kamailio/OpenSIPS CVEs - cve_xmpp: Prosody namespace confusion, stream DoS, upload DoS, ejabberd disco leak, Converse.js XSS, Strophe.js parsing crash, Tigase unauth user creation Also added: - UCI waf_rules section with toggles for all 12 categories - Auto-ban options for VoIP/XMPP attack patterns - Updated waf-sync script for new categories Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-19 10:43:06 +01:00
CyberMind-FR	e31e43b8d7	feat(mitmproxy): Add modular WAF rules with CVE patterns and autoban fixes - Add waf-rules.json with 46 patterns across 8 categories: - sqli, xss, lfi, rce (OWASP Top 10) - cve_2024 (recent CVE exploits) - scanners, webmail, api_abuse - Add waf_loader.py dynamic rules loader module - Add mitmproxy-waf-sync UCI to JSON config sync script - Fix GeoIP: install geoip2 package in container - Fix autoban: add cron job, lower min_severity to "high" - Enable WAF for webmail (mail.secubox.in) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-07 07:46:26 +01:00

Author

SHA1

Message

Date

CyberMind-FR

a469076297

feat(waf): Add CVE-2025-14528 router botnet detection

Add new router_botnet WAF category for IoT/router exploitation:

CVE-2025-14528 (D-Link DIR-803 getcfg.php):
- AUTHORIZED_GROUP parameter manipulation
- SERVICES=DEVICE.ACCOUNT enumeration
- Newline injection bypass (%0a, %0d)

Additional router exploit patterns:
- D-Link hedwig.cgi, HNAP, service.cgi RCE
- UPnP SOAP injection
- Goform command injection
- ASUS/TP-Link/Netgear/Zyxel exploits

Mirai-variant botnet scanner detection:
- User-Agent signatures (Mirai, Hajime, Mozi, BotenaGo, etc.)
- Router payload injection patterns

Sources: CrowdSec Threat Intel, Global Security Mag

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-24 11:04:05 +01:00

CyberMind-FR

64bfeccfdb

feat(mitmproxy): Add VoIP/XMPP WAF protection rules

New WAF categories for VoIP and Jabber security:

- voip: SIP header injection, ARI command injection, FreePBX RCE,
  AMI web access, multipart traversal, Digest auth attacks
- xmpp: XSS in messages/presence, BOSH hijack, XXE via XInclude,
  WebSocket XSS, HTTP upload abuse, null byte in JID
- cve_voip: Asterisk PJSIP crash (CVE-2021-26906), negative CL DoS,
  Via header overflow, Route header crash, SDP buffer overflow,
  CSeq method overflow, FreePBX/Kamailio/OpenSIPS CVEs
- cve_xmpp: Prosody namespace confusion, stream DoS, upload DoS,
  ejabberd disco leak, Converse.js XSS, Strophe.js parsing crash,
  Tigase unauth user creation

Also added:
- UCI waf_rules section with toggles for all 12 categories
- Auto-ban options for VoIP/XMPP attack patterns
- Updated waf-sync script for new categories

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-19 10:43:06 +01:00

CyberMind-FR

e31e43b8d7

feat(mitmproxy): Add modular WAF rules with CVE patterns and autoban fixes

- Add waf-rules.json with 46 patterns across 8 categories:
  - sqli, xss, lfi, rce (OWASP Top 10)
  - cve_2024 (recent CVE exploits)
  - scanners, webmail, api_abuse
- Add waf_loader.py dynamic rules loader module
- Add mitmproxy-waf-sync UCI to JSON config sync script
- Fix GeoIP: install geoip2 package in container
- Fix autoban: add cron job, lower min_severity to "high"
- Enable WAF for webmail (mail.secubox.in)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-07 07:46:26 +01:00

3 Commits