secubox-openwrt/package/secubox/secubox-app-crowdsec-custom/files/scenarios/secubox-mitmproxy-threats.yaml

# CrowdSec scenario for SecuBox mitmproxy threat detection
# Triggers bans for detected attacks (SQLi, XSS, command injection, etc.)

type: leaky
name: secubox/mitmproxy-attack
description: "Detect web attacks via mitmproxy (SQLi, XSS, command injection, SSRF)"
filter: |
  evt.Meta.log_type == 'mitmproxy_threat' &&
  evt.Parsed.severity in ['critical', 'high'] &&
  evt.Parsed.pattern in ['sql_injection', 'xss', 'command_injection', 'path_traversal', 'xxe', 'ldap_injection', 'log4shell']  
groupby: evt.Meta.source_ip
capacity: 3
leakspeed: 60s
blackhole: 15m
labels:
  service: mitmproxy
  type: web_attack
  remediation: true
---
# Detect aggressive scanning/probing
type: leaky
name: secubox/mitmproxy-scanner
description: "Detect aggressive web scanning via mitmproxy"
filter: |
  evt.Meta.log_type == 'mitmproxy_threat' &&
  evt.Parsed.pattern in ['admin_scanner', 'config_scan', 'backup_scan', 'env_scan']  
groupby: evt.Meta.source_ip
capacity: 10
leakspeed: 30s
blackhole: 10m
labels:
  service: mitmproxy
  type: web_scan
  remediation: true
---
# Detect SSRF attempts (more lenient - internal IPs might be legitimate)
type: leaky
name: secubox/mitmproxy-ssrf
description: "Detect SSRF attempts via mitmproxy"
filter: |
  evt.Meta.log_type == 'mitmproxy_threat' &&
  evt.Parsed.pattern == 'ssrf' &&
  evt.Parsed.country != 'LOCAL'  
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: 60s
blackhole: 10m
labels:
  service: mitmproxy
  type: ssrf
  remediation: true
---
# Detect known CVE exploitation attempts (immediate ban)
type: trigger
name: secubox/mitmproxy-cve
description: "Detect CVE exploitation attempts via mitmproxy"
filter: |
  evt.Meta.log_type == 'mitmproxy_threat' &&
  evt.Parsed.cve != '' &&
  evt.Parsed.severity == 'critical'  
blackhole: 30m
labels:
  service: mitmproxy
  type: cve_exploit
  remediation: true
---
# Detect automated bot/scanner reconnaissance
type: leaky
name: secubox/mitmproxy-botscan
description: "Detect automated bot/scanner reconnaissance via mitmproxy"
filter: |
  evt.Meta.log_type == 'mitmproxy_threat' &&
  (evt.Parsed.is_bot == 'true' ||
   evt.Parsed.bot_type in ['vulnerability_scanner', 'directory_scanner', 'port_scanner', 'cms_scanner'] ||
   evt.Parsed.bot_behavior in ['config_hunting', 'admin_hunting', 'backup_hunting', 'shell_hunting', 'api_discovery'])  
groupby: evt.Meta.source_ip
capacity: 5
leakspeed: 30s
blackhole: 30m
labels:
  service: mitmproxy
  type: bot_scanner
  remediation: true
---
# Detect shell/backdoor hunting (critical - immediate action)
type: trigger
name: secubox/mitmproxy-shell-hunter
description: "Detect shell/backdoor hunting attempts via mitmproxy"
filter: |
  evt.Meta.log_type == 'mitmproxy_threat' &&
  evt.Parsed.bot_behavior == 'shell_hunting'  
blackhole: 60m
labels:
  service: mitmproxy
  type: shell_hunter
  remediation: true
---
# Detect credential/config file hunting
type: leaky
name: secubox/mitmproxy-config-hunter
description: "Detect credential/config file hunting via mitmproxy"
filter: |
  evt.Meta.log_type == 'mitmproxy_threat' &&
  evt.Parsed.bot_behavior == 'config_hunting'  
groupby: evt.Meta.source_ip
capacity: 3
leakspeed: 60s
blackhole: 30m
labels:
  service: mitmproxy
  type: config_hunter
  remediation: true
---
# Detect suspicious user agents (empty, minimal, or clearly fake)
type: leaky
name: secubox/mitmproxy-suspicious-ua
description: "Detect requests with suspicious user agents via mitmproxy"
filter: |
  evt.Meta.log_type == 'mitmproxy_threat' &&
  evt.Parsed.suspicious_ua == 'true' &&
  evt.Parsed.is_bot != 'true'  
groupby: evt.Meta.source_ip
capacity: 15
leakspeed: 60s
blackhole: 15m
labels:
  service: mitmproxy
  type: suspicious_ua
  remediation: true