gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
55ce42cd6b
secubox-openwrt/package/secubox/secubox-threat-analyst
History
CyberMind-FR 0e0749ed08 feat: Add threat-analyst, dns-guard, mcp-server and DNS provider DynDNS 
New packages:
- secubox-threat-analyst: AI-powered threat analysis with CrowdSec integration
- luci-app-threat-analyst: LuCI dashboard for threat intelligence
- secubox-dns-guard: DNS security monitoring and blocking
- secubox-mcp-server: Model Context Protocol server for AI assistant integration

Enhancements:
- dns-provider: Add DynDNS support (dyndns, get, update, domains commands)
- gandi.sh: Full DynDNS with WAN IP detection and record updates
- luci-app-dnsguard: Upgrade to v1.1.0 with improved dashboard

Infrastructure:
- BIND9 DNS setup for secubox.in with CAA records
- Wildcard SSL certificates via DNS-01 challenge
- HAProxy config fixes for secubox.in subdomains
- Mail server setup with Roundcube webmail

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 08:30:28 +01:00
..
files feat: Add threat-analyst, dns-guard, mcp-server and DNS provider DynDNS 2026-02-05 08:30:28 +01:00
Makefile feat: Add threat-analyst, dns-guard, mcp-server and DNS provider DynDNS 2026-02-05 08:30:28 +01:00
README.md feat: Add threat-analyst, dns-guard, mcp-server and DNS provider DynDNS 2026-02-05 08:30:28 +01:00

README.md

SecuBox Threat Analyst

AI-powered autonomous threat analysis and filter generation agent for SecuBox.

Version: 1.0.0 Author: CyberMind devel@CyberMind.fr

Overview

Threat Analyst monitors security events from CrowdSec, mitmproxy, and netifyd DPI, uses LocalAI for intelligent analysis, and automatically generates filter rules for:

  • mitmproxy: Python filter patterns for HTTP/HTTPS inspection
  • CrowdSec: Custom scenarios and parsers
  • WAF: JSON rule sets for web application firewall

Features

  • Real-time threat correlation across multiple sources
  • AI-powered attack pattern recognition (via LocalAI)
  • Automatic rule generation for mitmproxy/CrowdSec/WAF
  • Approval workflow for generated rules (queue or auto-apply)
  • LuCI dashboard with AI chat interface
  • Periodic analysis daemon

Installation

opkg install secubox-threat-analyst
opkg install luci-app-threat-analyst

# Enable and start daemon
uci set threat-analyst.main.enabled=1
uci commit threat-analyst
/etc/init.d/threat-analyst enable
/etc/init.d/threat-analyst start

CLI Commands

threat-analyst status          # Show agent status
threat-analyst run             # Run single analysis cycle
threat-analyst daemon          # Run as background daemon
threat-analyst analyze         # Analyze threats (no rule generation)
threat-analyst generate        # Generate all rules
threat-analyst gen-mitmproxy   # Generate mitmproxy filters only
threat-analyst gen-crowdsec    # Generate CrowdSec scenario only
threat-analyst gen-waf         # Generate WAF rules only
threat-analyst list-pending    # List pending rules
threat-analyst approve <id>    # Approve pending rule
threat-analyst reject <id>     # Reject pending rule

Configuration

UCI config: /etc/config/threat-analyst

config threat-analyst 'main'
    option enabled '1'
    option interval '300'           # Analysis interval (seconds)
    option localai_url 'http://127.0.0.1:8081'
    option localai_model 'tinyllama-1.1b-chat-v1.0.Q4_K_M'

    # Auto-apply settings
    option auto_apply_mitmproxy '1' # Auto-apply mitmproxy filters
    option auto_apply_crowdsec '0'  # Queue CrowdSec for approval
    option auto_apply_waf '0'       # Queue WAF for approval

    option min_confidence '70'      # Min AI confidence for rules
    option max_rules_per_cycle '5'  # Max rules per cycle

LuCI Dashboard

Navigate to: SecuBox → Security → Threat Analyst

Features:

  • Status panel: Daemon status, LocalAI status, threat counts
  • AI Chat: Interactive chat with threat analyst AI
  • Pending rules: Approve/reject generated rules
  • Threats table: Recent security events

Data Sources

Source Type Path
CrowdSec Alerts cscli alerts list
mitmproxy Threats /srv/mitmproxy/threats.log
netifyd DPI /var/run/netifyd/status.json

Generated Rules

mitmproxy Filters

Output: /etc/mitmproxy/ai_filters.py

Python class with IP blocklist, URL patterns, User-Agent detection.

CrowdSec Scenarios

Output: /etc/crowdsec/scenarios/ai-generated.yaml

YAML scenarios for AI-detected attack patterns.

WAF Rules

Output: /etc/mitmproxy/waf_ai_rules.json

JSON rule sets for SQL injection, XSS, path traversal, scanner detection.

Dependencies

  • secubox-mcp-server — MCP protocol for AI integration
  • jsonfilter — JSON parsing
  • secubox-app-localai — LocalAI inference (recommended)
  • crowdsec — CrowdSec integration (optional)
  • mitmproxy — WAF integration (optional)

Architecture

┌─────────────┐  ┌─────────────┐  ┌─────────────┐
│  CrowdSec   │  │  mitmproxy  │  │   netifyd   │
└──────┬──────┘  └──────┬──────┘  └──────┬──────┘
       │                │                │
       └────────────────┼────────────────┘
                        │
                ┌───────▼───────┐
                │   Collector   │
                └───────┬───────┘
                        │
                ┌───────▼───────┐
                │    LocalAI    │
                │   Analysis    │
                └───────┬───────┘
                        │
       ┌────────────────┼────────────────┐
       │                │                │
┌──────▼──────┐  ┌──────▼──────┐  ┌──────▼──────┐
│  mitmproxy  │  │  CrowdSec   │  │    WAF      │
│   filters   │  │  scenarios  │  │   rules     │
└─────────────┘  └─────────────┘  └─────────────┘

License

MIT

Part Of

SecuBox AI Gateway (Couche 2) — v0.18