gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,161 Commits 4 Branches 293 Tags 320 MiB
f3f6eb4e4b
Commit Graph

5 Commits

Author SHA1 Message Date
CyberMind-FR
cac9fa3e4f fix(mitmproxy): Fix false positives for legitimate browsers 
- Remove 'mozilla/5.0' from BOT_SIGNATURES - was flagging ALL modern
  browsers as bots since this is the standard UA prefix
- Fix suspicious UA detection - no longer flags normal browsers
- Increase CrowdSec bruteforce threshold from 5/30s to 10/60s to reduce
  false positives from normal login flows

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-14 05:51:53 +01:00
CyberMind-FR
418cb2c76e fix(mitmproxy): Fix SSRF false positives for internal traffic 
SSRF detection was triggering on any request to internal IPs
(192.168.x.x, 10.x.x.x, etc.) because it was checking the target
URL itself. Now only checks query parameters and request body for
SSRF patterns, which is where actual SSRF attacks occur.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-14 05:38:26 +01:00
CyberMind-FR
e58f479cd4 feat(waf): Update WAF scenarios with 2024-2025 CVEs and OWASP threats 
Add detection patterns for latest actively exploited vulnerabilities:
- CVE-2025-55182 (React2Shell, CVSS 10.0)
- CVE-2025-8110 (Gogs RCE), CVE-2025-53770 (SharePoint)
- CVE-2025-52691 (SmarterMail), CVE-2025-40551 (SolarWinds)
- CVE-2024-47575 (FortiManager), CVE-2024-21887 (Ivanti)
- CVE-2024-3400, CVE-2024-0012, CVE-2024-9474 (PAN-OS)

New attack categories based on OWASP Top 10 2025:
- HTTP Request Smuggling (TE.CL/CL.TE conflicts)
- AI/LLM Prompt Injection (ChatML, instruction markers)
- WAF Bypass techniques (Unicode normalization, double encoding)
- Supply Chain attacks (CI/CD poisoning, dependency confusion)
- Extended SSTI (Jinja2, Freemarker, Velocity, Thymeleaf)
- API Abuse (BOLA/IDOR, mass assignment)

CrowdSec scenarios split into 11 separate files for reliability.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-12 05:02:57 +01:00
CyberMind-FR
adec1144d6 feat: Streamlit ZIP flatten, mitmproxy bot whitelist, Fabricator app 
- Add extract_zip_flatten() to Streamlit RPCD for nested ZIP handling
- Add bot whitelist to mitmproxy WAF (Facebook, Google, Bing crawlers)
- Skip threat detection for whitelisted legitimate crawlers
- Track Fabricator app and stats evolution in HISTORY.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-07 09:59:20 +01:00
CyberMind-FR
e31e43b8d7 feat(mitmproxy): Add modular WAF rules with CVE patterns and autoban fixes 
- Add waf-rules.json with 46 patterns across 8 categories:
  - sqli, xss, lfi, rce (OWASP Top 10)
  - cve_2024 (recent CVE exploits)
  - scanners, webmail, api_abuse
- Add waf_loader.py dynamic rules loader module
- Add mitmproxy-waf-sync UCI to JSON config sync script
- Fix GeoIP: install geoip2 package in container
- Fix autoban: add cron job, lower min_severity to "high"
- Enable WAF for webmail (mail.secubox.in)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-07 07:46:26 +01:00