gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
0809bc69c2
secubox-openwrt/DOCS/CVE-LAYER7.md
CyberMind-FR b542ac7d3c feat: WAF auto-ban, cache busting, deployment docs, CVE Layer 7 docs 
Changes:
- Enable WAF auto-ban by default (sensitivity: moderate, min_severity: high)
- Add whitelist for common safe IPs (localhost, router)
- Add browser cache busting via version parameter in CSS loads
- Document deployment scripts in secubox-tools/README.md
- Create CVE Layer 7 architecture documentation

WAF auto-ban now active with:
- 3 threats within 5 minutes triggers ban
- 4-hour ban duration
- Critical CVEs (Log4Shell, SQLi, CMDi) ban immediately

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-28 18:06:12 +01:00

306 lines
12 KiB
Markdown
Raw Blame History

# SecuBox CVE Layer 7 Defense System
**Version:** 1.0.0
**Last Updated:** 2026-02-28
## Overview
The CVE Layer 7 innovation combines three defense pillars for comprehensive web application security:
1. **mitmproxy WAF** - Real-time threat pattern detection (70+ CVE patterns)
2. **CrowdSec Scenarios** - Intelligent ban decisions with adaptive thresholds
3. **CVE Triage Agent** - AI-powered vulnerability assessment and remediation
## Architecture
```
┌─────────────────────────────────────────────────────────────────┐
│ LAYER 7: Request Processing │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ HAProxy (port 8080) → mitmproxy (MITM inspection) │ │
│ │ ↓ │ │
│ │ secubox_analytics.py │ │
│ │ (70+ CVE patterns, sub-100ms detection) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ↓ │
│ [Decision Tree] │
│ ┌────────────────┬─────────────┬──────────────┐ │
│ ↓ ↓ ↓ ↓ │
│ [Allow] [Log Threat] [Auto-Ban] [Alert] │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ THREAT LOG PIPELINE │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Log Files: │ │
│ │ • /var/log/secubox-access.log (all requests) │ │
│ │ • /data/threats.log (CrowdSec parser input) │ │
│ │ • /data/autoban-requests.log (ban decisions) │ │
│ │ • /tmp/secubox-subdomain-metrics.json (analytics) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ↓ │
│ [CrowdSec Engine] │
│ 8 mitmproxy-specific scenarios │
│ ┌─────────────────┬──────────────┬──────────┐ │
│ ↓ ↓ ↓ ↓ │
│ [CVE] [Scanner] [SSRF] [Shell] │
│ 30m ban 10-30m ban 10m ban 60m ban │
└─────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ RESPONSE & REMEDIATION │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ CrowdSec Firewall Bouncer: │ │
│ │ • IP-based blocks (iptables/nftables rules) │ │
│ │ • Whitelist/blacklist integration │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ↓ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ CVE Triage Agent (optional): │ │
│ │ • Correlates CVE patterns with NVD data │ │
│ │ • LocalAI impact assessment │ │
│ │ • Patch recommendations │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
```
## Component 1: mitmproxy WAF Analytics
### Location
- **Config:** `/etc/config/mitmproxy`
- **Analytics Addon:** `/srv/mitmproxy/addons/secubox_analytics.py`
- **WAF Rules:** `/srv/mitmproxy/waf-rules.json`
### CVE Pattern Categories
| Category | Patterns | Severity | Auto-Ban |
|----------|----------|----------|----------|
| **SQL Injection** | 18 | Critical | Yes |
| **Command Injection** | 16 | Critical | Yes |
| **XSS** | 17 | High | Threshold |
| **Path Traversal** | 14 | High | Threshold |
| **XXE** | 8 | Critical | Yes |
| **SSRF** | 14 | High | Threshold |
| **Log4Shell/JNDI** | 8 | Critical | Yes |
| **CVE 2021-2025** | 70+ | Critical | Immediate |
| **Router Botnet** | 20+ | Critical | Immediate |
### Supported CVEs (2021-2025)
**2024-2025:**
- CVE-2025-15467 (OpenSSL CMS stack overflow)
- CVE-2025-0282 (Ivanti Connect Secure)
- CVE-2024-3400 (PAN-OS GlobalProtect)
- CVE-2024-21887 (Ivanti Connect Secure)
- CVE-2024-1708/1709 (ScreenConnect)
- CVE-2024-27198 (TeamCity)
- CVE-2024-21762 (Fortinet FortiOS)
**2023:**
- CVE-2023-34362 (MOVEit SQL injection)
- CVE-2023-22515 (Confluence privilege escalation)
- CVE-2023-46747 (F5 BIG-IP)
- CVE-2023-4966 (Citrix Bleed)
**2021-2022:**
- CVE-2021-44228 (Log4Shell)
- CVE-2021-41773 (Apache path traversal)
- CVE-2022-22965 (Spring4Shell)
- CVE-2022-1388 (F5 BIG-IP)
### Auto-Ban Configuration
```uci
config autoban 'autoban'
option enabled '1'
option ban_duration '4h'
option min_severity 'high'
option sensitivity 'moderate'
option moderate_threshold '3'
option moderate_window '300'
option whitelist '127.0.0.1,192.168.255.1'
```
**Sensitivity Levels:**
- **Aggressive:** Immediate ban on first critical threat
- **Moderate:** Ban after 3 threats within 5 minutes (default)
- **Permissive:** Ban after 5 threats within 1 hour
## Component 2: CrowdSec Scenarios
### Location
- **Scenarios:** `/etc/crowdsec/scenarios/`
- **Parser:** `/etc/crowdsec/parsers/s01-parse/secubox-mitmproxy.yaml`
- **Acquisition:** `/etc/crowdsec/acquis.d/secubox-mitmproxy.yaml`
### mitmproxy Threat Scenarios
| Scenario | Type | Trigger | Ban Duration |
|----------|------|---------|--------------|
| `secubox/mitmproxy-attack` | Leaky | SQLi, XSS, CMDi, LFI, XXE | 15m |
| `secubox/mitmproxy-cve` | Trigger | CVE + critical severity | 30m |
| `secubox/mitmproxy-botscan` | Leaky | Vulnerability scanners | 30m |
| `secubox/mitmproxy-shell-hunter` | Trigger | Shell/backdoor hunting | 60m |
| `secubox/mitmproxy-config-hunter` | Leaky | Config file hunting | 30m |
| `secubox/mitmproxy-scanner` | Leaky | Admin/env scanning | 10m |
| `secubox/mitmproxy-ssrf` | Leaky | SSRF attempts | 10m |
| `secubox/mitmproxy-suspicious-ua` | Leaky | Suspicious User-Agent | 15m |
### Log Format (JSON)
```json
{
"timestamp": "2026-02-28T12:00:00Z",
"source_ip": "1.2.3.4",
"host": "example.com",
"request": "GET /../../../etc/passwd HTTP/1.1",
"threat_type": "path_traversal",
"pattern": "../../../etc/passwd",
"severity": "critical",
"cve": "",
"category": "lfi",
"is_bot": true,
"bot_type": "vulnerability_scanner",
"bot_behavior": "config_hunting"
}
```
## Component 3: CVE Triage Agent
### Location
- **Config:** `/etc/config/cve-triage`
- **CLI:** `/usr/bin/cve-triage`
- **Library:** `/usr/lib/cve-triage/`
### Workflow
1. **Collector** (`collector.sh`):
- Gathers installed packages (opkg, dpkg, apk)
- Scans LXC containers and Docker images
- Cross-references with NVD API
2. **Analyzer** (`analyzer.sh`):
- CVSS-based severity scoring
- LocalAI impact assessment (optional)
- Attack vector analysis
3. **Recommender** (`recommender.sh`):
- Patch recommendations
- Mitigation strategies
- Monitoring guidance
4. **Applier** (`applier.sh`):
- Queue-based approval workflow
- Auto-apply option (configurable)
- Rollback capability
### Configuration
```uci
config cve-triage 'main'
option enabled '1'
option scan_interval '3600'
option min_severity 'medium'
option auto_apply_patches '0'
option localai_analysis '1'
```
## Integration Points
### mitmproxy → CrowdSec
1. mitmproxy writes JSON threat logs to `/data/threats.log`
2. CrowdSec `secubox-mitmproxy` parser extracts fields
3. 8 scenarios evaluate severity and decide ban duration
4. Firewall bouncer applies IP blocks
### mitmproxy → CVE Triage
1. CVE field from detection passed to triage agent
2. Triage correlates with NVD API
3. Generates remediation recommendations
4. Updates auto-ban sensitivity if needed
### Auto-Ban Feedback Loop
1. High-severity CVE attempts trigger immediate bans
2. Repeated attempts from same IP escalate ban duration
3. Whitelist/WireGuard endpoint protection prevents false positives
4. CrowdSec community blocklist integration
## File Locations
| Component | Path | Purpose |
|-----------|------|---------|
| WAF Config | `/etc/config/mitmproxy` | Auto-ban settings |
| WAF Rules | `/srv/mitmproxy/waf-rules.json` | Pattern definitions |
| Analytics | `/srv/mitmproxy/addons/secubox_analytics.py` | Detection engine |
| Threats Log | `/data/threats.log` | CrowdSec input |
| Access Log | `/var/log/secubox-access.log` | All requests |
| Auto-ban Log | `/data/autoban-requests.log` | Ban decisions |
| Scenarios | `/etc/crowdsec/scenarios/` | CrowdSec rules |
| CVE Triage | `/usr/lib/cve-triage/` | Agent library |
## Metrics & Monitoring
### Subdomain Metrics
Real-time JSON export: `/tmp/secubox-subdomain-metrics.json`
- Request counts per domain
- Threat type distribution
- Top 20 URIs per subdomain
- Country-based statistics
### Rate Limiting
```python
RATE_LIMITS = {
'path_scan': {'window': 60, 'max': 20},
'auth_attempt': {'window': 60, 'max': 10},
'bot_request': {'window': 60, 'max': 30},
'normal': {'window': 60, 'max': 100},
}
```
## Commands
### View active threats
```bash
# Recent threats
tail -f /data/threats.log | jq
# Auto-ban log
cat /data/autoban-requests.log
# CrowdSec decisions
cscli decisions list
```
### Manual ban/unban
```bash
# Ban IP for 4 hours
cscli decisions add --ip 1.2.3.4 --duration 4h --reason "Manual ban"
# Remove ban
cscli decisions delete --ip 1.2.3.4
```
### Check status
```bash
# mitmproxy WAF status
mitmproxyctl status
# CrowdSec status
cscli metrics
# CVE Triage status
cve-triage status
```
## See Also
- [mitmproxy UCI Configuration](../package/secubox/secubox-app-mitmproxy/README.md)
- [CrowdSec Custom Scenarios](../package/secubox/secubox-app-crowdsec-custom/README.md)
- [CVE Triage Agent](../package/secubox/secubox-cve-triage/README.md)
Reference in New Issue View Git Blame Copy Permalink