CyberMind-FR
f4b9c910c5
Add WAF-like functionality to mitmproxy for protecting services exposed to the internet. Incoming WAN traffic is redirected through mitmproxy for threat detection before reaching backend services. Features: - WAN protection mode with nftables rules for incoming traffic - Enhanced bot scanner detection with 50+ scanner signatures - Behavioral detection for config/admin/backup/shell hunting - CrowdSec integration with new scenarios for bot scanners - LuCI interface for WAN protection configuration - DPI mirror mode support (secondary feature) New CrowdSec scenarios: - secubox/mitmproxy-botscan: Detect automated reconnaissance - secubox/mitmproxy-shell-hunter: Detect shell/backdoor hunting - secubox/mitmproxy-config-hunter: Detect credential file hunting - secubox/mitmproxy-suspicious-ua: Detect suspicious user agents Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
75 lines
2.6 KiB
YAML
75 lines
2.6 KiB
YAML
# CrowdSec parser for SecuBox mitmproxy threat logs
|
|
# Parses JSON threat events from mitmproxy analytics addon
|
|
|
|
onsuccess: next_stage
|
|
name: secubox/mitmproxy-threats
|
|
description: "Parse SecuBox mitmproxy threat detection logs (JSON)"
|
|
filter: "evt.Line.Labels.type == 'mitmproxy'"
|
|
statics:
|
|
- parsed: source_ip
|
|
expression: JsonExtract(evt.Line.Raw, "source_ip")
|
|
- parsed: timestamp
|
|
expression: JsonExtract(evt.Line.Raw, "timestamp")
|
|
- parsed: request
|
|
expression: JsonExtract(evt.Line.Raw, "request")
|
|
- parsed: host
|
|
expression: JsonExtract(evt.Line.Raw, "host")
|
|
- parsed: user_agent
|
|
expression: JsonExtract(evt.Line.Raw, "user_agent")
|
|
- parsed: threat_type
|
|
expression: JsonExtract(evt.Line.Raw, "type")
|
|
- parsed: pattern
|
|
expression: JsonExtract(evt.Line.Raw, "pattern")
|
|
- parsed: category
|
|
expression: JsonExtract(evt.Line.Raw, "category")
|
|
- parsed: severity
|
|
expression: JsonExtract(evt.Line.Raw, "severity")
|
|
- parsed: cve
|
|
expression: JsonExtract(evt.Line.Raw, "cve")
|
|
- parsed: response_code
|
|
expression: JsonExtract(evt.Line.Raw, "response_code")
|
|
- parsed: is_bot
|
|
expression: JsonExtract(evt.Line.Raw, "is_bot")
|
|
- parsed: bot_type
|
|
expression: JsonExtract(evt.Line.Raw, "bot_type")
|
|
- parsed: bot_behavior
|
|
expression: JsonExtract(evt.Line.Raw, "bot_behavior")
|
|
- parsed: suspicious_ua
|
|
expression: JsonExtract(evt.Line.Raw, "suspicious_ua")
|
|
- parsed: country
|
|
expression: JsonExtract(evt.Line.Raw, "country")
|
|
- parsed: fingerprint
|
|
expression: JsonExtract(evt.Line.Raw, "fingerprint")
|
|
- parsed: rate_limited
|
|
expression: JsonExtract(evt.Line.Raw, "rate_limited")
|
|
- meta: log_type
|
|
value: mitmproxy_threat
|
|
- meta: service
|
|
value: mitmproxy
|
|
- meta: source_ip
|
|
expression: JsonExtract(evt.Line.Raw, "source_ip")
|
|
---
|
|
# Filter for critical/high severity threats only (to avoid noise)
|
|
onsuccess: next_stage
|
|
name: secubox/mitmproxy-high-severity
|
|
description: "Filter high severity mitmproxy threats for banning"
|
|
filter: "evt.Meta.log_type == 'mitmproxy_threat' && evt.Parsed.severity in ['critical', 'high']"
|
|
statics:
|
|
- meta: threat_severity
|
|
expression: evt.Parsed.severity
|
|
- meta: threat_type
|
|
expression: evt.Parsed.threat_type
|
|
- meta: attack_pattern
|
|
expression: evt.Parsed.pattern
|
|
---
|
|
# Filter for bot scanner activity
|
|
onsuccess: next_stage
|
|
name: secubox/mitmproxy-bot-filter
|
|
description: "Filter bot scanner activity for analysis"
|
|
filter: "evt.Meta.log_type == 'mitmproxy_threat' && (evt.Parsed.is_bot == 'true' || evt.Parsed.bot_behavior != '')"
|
|
statics:
|
|
- meta: is_bot_activity
|
|
value: "true"
|
|
- meta: bot_category
|
|
expression: evt.Parsed.bot_type
|