secubox-openwrt

gandalf/secubox-openwrt

Fork 0

Commit Graph

Author	SHA1	Message	Date
CyberMind-FR	ccccd3d93b	feat(dpi-dual): Add WAF auto-ban tuning system - UCI config: Add scoring section with event weights, sensitivity presets, whitelist, and decay options - dpi-correlator: Load scoring weights from UCI, apply sensitivity multipliers, check whitelist before auto-ban, periodic reputation decay - CLI: New 'tune', 'whitelist', 'decay' commands for runtime configuration - RPCD: 6 new methods - get_tuning, set_tuning, whitelist_add/remove/list, reset_reputation - ACL: Added permissions for new tuning methods Sensitivity presets: - low (0.7x) - fewer false positives - medium (1.0x) - balanced (default) - high (1.3x) - aggressive detection Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-03-15 15:37:55 +01:00
CyberMind-FR	7ff9ee3805	feat(dpi): Phase 3 - Correlation engine + timeline view Correlation Library (correlation-lib.sh): - IP reputation tracking with configurable decay - Full context gathering from MITM, DPI, WAF streams - CrowdSec decision checking and notification - Correlation entry builder with rich context Enhanced Correlator (dpi-correlator v2): - Watches WAF alerts, CrowdSec decisions, DPI flows - Auto-ban for high-reputation IPs (threshold: 80) - Notification queue for high-severity threats - CLI: correlate, reputation, context, search, stats LuCI Timeline View: - Correlation timeline with colored event cards - IP context modal showing MITM requests + WAF alerts - Quick ban button with CrowdSec integration - Search by IP functionality - Stats: total, high-threat, banned, unique IPs RPCD Methods (8 new): - get_correlation_stats, get_ip_context, get_ip_reputation - get_timeline, search_correlations, ban_ip, set_auto_ban UCI Config: auto_ban, auto_ban_threshold, notifications Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-03-15 12:27:20 +01:00
CyberMind-FR	58a51eb271	feat(dpi): Implement Phase 1 of Dual-Stream DPI architecture - secubox-dpi-dual package with parallel MITM + Passive TAP analysis - TAP stream: tc mirred port mirroring to dummy interface for netifyd - Flow collector: Stats aggregation from netifyd, cleanup, JSON output - Correlation engine: Matches MITM WAF events with TAP flow data - Watches CrowdSec decisions and WAF alerts for threat enrichment - CLI: dpi-dualctl with start/stop/status/flows/threats/mirror commands - Procd service: manages flow-collector + correlator instances - MITM double buffer: dpi_buffer.py mitmproxy addon (Phase 2 prep) - UCI config: dual/mitm-only/tap-only mode selection Architecture: package/secubox/DUAL-STREAM-DPI.md Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-03-15 12:15:17 +01:00

Author

SHA1

Message

Date

CyberMind-FR

ccccd3d93b

feat(dpi-dual): Add WAF auto-ban tuning system

- UCI config: Add scoring section with event weights, sensitivity presets,
  whitelist, and decay options
- dpi-correlator: Load scoring weights from UCI, apply sensitivity
  multipliers, check whitelist before auto-ban, periodic reputation decay
- CLI: New 'tune', 'whitelist', 'decay' commands for runtime configuration
- RPCD: 6 new methods - get_tuning, set_tuning, whitelist_add/remove/list,
  reset_reputation
- ACL: Added permissions for new tuning methods

Sensitivity presets:
- low (0.7x) - fewer false positives
- medium (1.0x) - balanced (default)
- high (1.3x) - aggressive detection

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-03-15 15:37:55 +01:00

CyberMind-FR

7ff9ee3805

feat(dpi): Phase 3 - Correlation engine + timeline view

Correlation Library (correlation-lib.sh):
- IP reputation tracking with configurable decay
- Full context gathering from MITM, DPI, WAF streams
- CrowdSec decision checking and notification
- Correlation entry builder with rich context

Enhanced Correlator (dpi-correlator v2):
- Watches WAF alerts, CrowdSec decisions, DPI flows
- Auto-ban for high-reputation IPs (threshold: 80)
- Notification queue for high-severity threats
- CLI: correlate, reputation, context, search, stats

LuCI Timeline View:
- Correlation timeline with colored event cards
- IP context modal showing MITM requests + WAF alerts
- Quick ban button with CrowdSec integration
- Search by IP functionality
- Stats: total, high-threat, banned, unique IPs

RPCD Methods (8 new):
- get_correlation_stats, get_ip_context, get_ip_reputation
- get_timeline, search_correlations, ban_ip, set_auto_ban

UCI Config: auto_ban, auto_ban_threshold, notifications

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-03-15 12:27:20 +01:00

CyberMind-FR

58a51eb271

feat(dpi): Implement Phase 1 of Dual-Stream DPI architecture

- secubox-dpi-dual package with parallel MITM + Passive TAP analysis
- TAP stream: tc mirred port mirroring to dummy interface for netifyd
- Flow collector: Stats aggregation from netifyd, cleanup, JSON output
- Correlation engine: Matches MITM WAF events with TAP flow data
- Watches CrowdSec decisions and WAF alerts for threat enrichment
- CLI: dpi-dualctl with start/stop/status/flows/threats/mirror commands
- Procd service: manages flow-collector + correlator instances
- MITM double buffer: dpi_buffer.py mitmproxy addon (Phase 2 prep)
- UCI config: dual/mitm-only/tap-only mode selection

Architecture: package/secubox/DUAL-STREAM-DPI.md

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-03-15 12:15:17 +01:00

3 Commits