# SecuBox CVE Layer 7 Defense System

**Version:** 1.0.0
**Last Updated:** 2026-02-28

## Overview

The CVE Layer 7 innovation combines three defense pillars for comprehensive web application security:

1. **mitmproxy WAF** - Real-time threat pattern detection (70+ CVE patterns)
2. **CrowdSec Scenarios** - Intelligent ban decisions with adaptive thresholds
3. **CVE Triage Agent** - AI-powered vulnerability assessment and remediation

## Architecture

```
┌─────────────────────────────────────────────────────────────────┐
│ LAYER 7: Request Processing                                     │
│ ┌──────────────────────────────────────────────────────────┐   │
│ │ HAProxy (port 8080) → mitmproxy (MITM inspection)        │   │
│ │                      ↓                                    │   │
│ │                 secubox_analytics.py                     │   │
│ │          (70+ CVE patterns, sub-100ms detection)         │   │
│ └──────────────────────────────────────────────────────────┘   │
│                         ↓                                        │
│                   [Decision Tree]                               │
│        ┌────────────────┬─────────────┬──────────────┐         │
│        ↓                ↓             ↓              ↓         │
│   [Allow]        [Log Threat]    [Auto-Ban]   [Alert]         │
└─────────────────────────────────────────────────────────────────┘
                         ↓
┌─────────────────────────────────────────────────────────────────┐
│ THREAT LOG PIPELINE                                             │
│ ┌──────────────────────────────────────────────────────────┐   │
│ │ Log Files:                                               │   │
│ │ • /var/log/secubox-access.log (all requests)            │   │
│ │ • /data/threats.log (CrowdSec parser input)             │   │
│ │ • /data/autoban-requests.log (ban decisions)            │   │
│ │ • /tmp/secubox-subdomain-metrics.json (analytics)       │   │
│ └──────────────────────────────────────────────────────────┘   │
│                         ↓                                        │
│                   [CrowdSec Engine]                             │
│             8 mitmproxy-specific scenarios                      │
│        ┌─────────────────┬──────────────┬──────────┐           │
│        ↓                 ↓              ↓          ↓           │
│     [CVE]            [Scanner]      [SSRF]    [Shell]         │
│     30m ban          10-30m ban     10m ban    60m ban         │
└─────────────────────────────────────────────────────────────────┘
                         ↓
┌─────────────────────────────────────────────────────────────────┐
│ RESPONSE & REMEDIATION                                          │
│ ┌──────────────────────────────────────────────────────────┐   │
│ │ CrowdSec Firewall Bouncer:                              │   │
│ │ • IP-based blocks (iptables/nftables rules)             │   │
│ │ • Whitelist/blacklist integration                        │   │
│ └──────────────────────────────────────────────────────────┘   │
│         ↓                                                        │
│ ┌──────────────────────────────────────────────────────────┐   │
│ │ CVE Triage Agent (optional):                            │   │
│ │ • Correlates CVE patterns with NVD data                 │   │
│ │ • LocalAI impact assessment                             │   │
│ │ • Patch recommendations                                 │   │
│ └──────────────────────────────────────────────────────────┘   │
└─────────────────────────────────────────────────────────────────┘
```

## Component 1: mitmproxy WAF Analytics

### Location
- **Config:** `/etc/config/mitmproxy`
- **Analytics Addon:** `/srv/mitmproxy/addons/secubox_analytics.py`
- **WAF Rules:** `/srv/mitmproxy/waf-rules.json`

### CVE Pattern Categories

| Category | Patterns | Severity | Auto-Ban |
|----------|----------|----------|----------|
| **SQL Injection** | 18 | Critical | Yes |
| **Command Injection** | 16 | Critical | Yes |
| **XSS** | 17 | High | Threshold |
| **Path Traversal** | 14 | High | Threshold |
| **XXE** | 8 | Critical | Yes |
| **SSRF** | 14 | High | Threshold |
| **Log4Shell/JNDI** | 8 | Critical | Yes |
| **CVE 2021-2025** | 70+ | Critical | Immediate |
| **Router Botnet** | 20+ | Critical | Immediate |

### Supported CVEs (2021-2025)

**2024-2025:**
- CVE-2025-15467 (OpenSSL CMS stack overflow)
- CVE-2025-0282 (Ivanti Connect Secure)
- CVE-2024-3400 (PAN-OS GlobalProtect)
- CVE-2024-21887 (Ivanti Connect Secure)
- CVE-2024-1708/1709 (ScreenConnect)
- CVE-2024-27198 (TeamCity)
- CVE-2024-21762 (Fortinet FortiOS)

**2023:**
- CVE-2023-34362 (MOVEit SQL injection)
- CVE-2023-22515 (Confluence privilege escalation)
- CVE-2023-46747 (F5 BIG-IP)
- CVE-2023-4966 (Citrix Bleed)

**2021-2022:**
- CVE-2021-44228 (Log4Shell)
- CVE-2021-41773 (Apache path traversal)
- CVE-2022-22965 (Spring4Shell)
- CVE-2022-1388 (F5 BIG-IP)

### Auto-Ban Configuration

```uci
config autoban 'autoban'
    option enabled '1'
    option ban_duration '4h'
    option min_severity 'high'
    option sensitivity 'moderate'
    option moderate_threshold '3'
    option moderate_window '300'
    option whitelist '127.0.0.1,192.168.255.1'
```

**Sensitivity Levels:**
- **Aggressive:** Immediate ban on first critical threat
- **Moderate:** Ban after 3 threats within 5 minutes (default)
- **Permissive:** Ban after 5 threats within 1 hour

## Component 2: CrowdSec Scenarios

### Location
- **Scenarios:** `/etc/crowdsec/scenarios/`
- **Parser:** `/etc/crowdsec/parsers/s01-parse/secubox-mitmproxy.yaml`
- **Acquisition:** `/etc/crowdsec/acquis.d/secubox-mitmproxy.yaml`

### mitmproxy Threat Scenarios

| Scenario | Type | Trigger | Ban Duration |
|----------|------|---------|--------------|
| `secubox/mitmproxy-attack` | Leaky | SQLi, XSS, CMDi, LFI, XXE | 15m |
| `secubox/mitmproxy-cve` | Trigger | CVE + critical severity | 30m |
| `secubox/mitmproxy-botscan` | Leaky | Vulnerability scanners | 30m |
| `secubox/mitmproxy-shell-hunter` | Trigger | Shell/backdoor hunting | 60m |
| `secubox/mitmproxy-config-hunter` | Leaky | Config file hunting | 30m |
| `secubox/mitmproxy-scanner` | Leaky | Admin/env scanning | 10m |
| `secubox/mitmproxy-ssrf` | Leaky | SSRF attempts | 10m |
| `secubox/mitmproxy-suspicious-ua` | Leaky | Suspicious User-Agent | 15m |

### Log Format (JSON)

```json
{
  "timestamp": "2026-02-28T12:00:00Z",
  "source_ip": "1.2.3.4",
  "host": "example.com",
  "request": "GET /../../../etc/passwd HTTP/1.1",
  "threat_type": "path_traversal",
  "pattern": "../../../etc/passwd",
  "severity": "critical",
  "cve": "",
  "category": "lfi",
  "is_bot": true,
  "bot_type": "vulnerability_scanner",
  "bot_behavior": "config_hunting"
}
```

## Component 3: CVE Triage Agent

### Location
- **Config:** `/etc/config/cve-triage`
- **CLI:** `/usr/bin/cve-triage`
- **Library:** `/usr/lib/cve-triage/`

### Workflow

1. **Collector** (`collector.sh`):
   - Gathers installed packages (opkg, dpkg, apk)
   - Scans LXC containers and Docker images
   - Cross-references with NVD API

2. **Analyzer** (`analyzer.sh`):
   - CVSS-based severity scoring
   - LocalAI impact assessment (optional)
   - Attack vector analysis

3. **Recommender** (`recommender.sh`):
   - Patch recommendations
   - Mitigation strategies
   - Monitoring guidance

4. **Applier** (`applier.sh`):
   - Queue-based approval workflow
   - Auto-apply option (configurable)
   - Rollback capability

### Configuration

```uci
config cve-triage 'main'
    option enabled '1'
    option scan_interval '3600'
    option min_severity 'medium'
    option auto_apply_patches '0'
    option localai_analysis '1'
```

## Integration Points

### mitmproxy → CrowdSec

1. mitmproxy writes JSON threat logs to `/data/threats.log`
2. CrowdSec `secubox-mitmproxy` parser extracts fields
3. 8 scenarios evaluate severity and decide ban duration
4. Firewall bouncer applies IP blocks

### mitmproxy → CVE Triage

1. CVE field from detection passed to triage agent
2. Triage correlates with NVD API
3. Generates remediation recommendations
4. Updates auto-ban sensitivity if needed

### Auto-Ban Feedback Loop

1. High-severity CVE attempts trigger immediate bans
2. Repeated attempts from same IP escalate ban duration
3. Whitelist/WireGuard endpoint protection prevents false positives
4. CrowdSec community blocklist integration

## File Locations

| Component | Path | Purpose |
|-----------|------|---------|
| WAF Config | `/etc/config/mitmproxy` | Auto-ban settings |
| WAF Rules | `/srv/mitmproxy/waf-rules.json` | Pattern definitions |
| Analytics | `/srv/mitmproxy/addons/secubox_analytics.py` | Detection engine |
| Threats Log | `/data/threats.log` | CrowdSec input |
| Access Log | `/var/log/secubox-access.log` | All requests |
| Auto-ban Log | `/data/autoban-requests.log` | Ban decisions |
| Scenarios | `/etc/crowdsec/scenarios/` | CrowdSec rules |
| CVE Triage | `/usr/lib/cve-triage/` | Agent library |

## Metrics & Monitoring

### Subdomain Metrics

Real-time JSON export: `/tmp/secubox-subdomain-metrics.json`

- Request counts per domain
- Threat type distribution
- Top 20 URIs per subdomain
- Country-based statistics

### Rate Limiting

```python
RATE_LIMITS = {
    'path_scan': {'window': 60, 'max': 20},
    'auth_attempt': {'window': 60, 'max': 10},
    'bot_request': {'window': 60, 'max': 30},
    'normal': {'window': 60, 'max': 100},
}
```

## Commands

### View active threats
```bash
# Recent threats
tail -f /data/threats.log | jq

# Auto-ban log
cat /data/autoban-requests.log

# CrowdSec decisions
cscli decisions list
```

### Manual ban/unban
```bash
# Ban IP for 4 hours
cscli decisions add --ip 1.2.3.4 --duration 4h --reason "Manual ban"

# Remove ban
cscli decisions delete --ip 1.2.3.4
```

### Check status
```bash
# mitmproxy WAF status
mitmproxyctl status

# CrowdSec status
cscli metrics

# CVE Triage status
cve-triage status
```

## See Also

- [mitmproxy UCI Configuration](../package/secubox/secubox-app-mitmproxy/README.md)
- [CrowdSec Custom Scenarios](../package/secubox/secubox-app-crowdsec-custom/README.md)
- [CVE Triage Agent](../package/secubox/secubox-cve-triage/README.md)