History

CyberMind-FR e58f479cd4 feat(waf): Update WAF scenarios with 2024-2025 CVEs and OWASP threats Add detection patterns for latest actively exploited vulnerabilities: - CVE-2025-55182 (React2Shell, CVSS 10.0) - CVE-2025-8110 (Gogs RCE), CVE-2025-53770 (SharePoint) - CVE-2025-52691 (SmarterMail), CVE-2025-40551 (SolarWinds) - CVE-2024-47575 (FortiManager), CVE-2024-21887 (Ivanti) - CVE-2024-3400, CVE-2024-0012, CVE-2024-9474 (PAN-OS) New attack categories based on OWASP Top 10 2025: - HTTP Request Smuggling (TE.CL/CL.TE conflicts) - AI/LLM Prompt Injection (ChatML, instruction markers) - WAF Bypass techniques (Unicode normalization, double encoding) - Supply Chain attacks (CI/CD poisoning, dependency confusion) - Extended SSTI (Jinja2, Freemarker, Velocity, Thymeleaf) - API Abuse (BOLA/IDOR, mass assignment) CrowdSec scenarios split into 11 separate files for reliability. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>		2026-02-12 05:02:57 +01:00
..
htdocs/luci-static/resources	feat(waf): Update WAF scenarios with 2024-2025 CVEs and OWASP threats	2026-02-12 05:02:57 +01:00
root	feat(security-threats): Add visit stats with country and URL metrics	2026-02-10 10:40:30 +01:00
Makefile	fix(tor-shield,security-threats): Preset persistence and firewall stats	2026-01-30 19:46:26 +01:00
README.md	ok	2026-01-08 09:08:46 +01:00

README.md

SecuBox Security Threats Dashboard

Overview

A unified LuCI dashboard that integrates netifyd DPI security risks with CrowdSec threat intelligence for comprehensive network threat monitoring and automated blocking.

Features

Real-time Threat Detection: Monitors netifyd's 52 security risk types
CrowdSec Integration: Correlates with CrowdSec alerts and decisions
Risk Scoring: Calculates 0-100 risk scores based on multiple factors
Auto-blocking: Configurable rules for automatic threat blocking
Per-host Analysis: Track threats by IP address
Visual Dashboard: Stats, charts, and real-time threat table

Architecture

netifyd DPI Engine → RPCD Backend → ubus API → LuCI Dashboard
                          ↓
                    CrowdSec LAPI
                          ↓
                  nftables (blocking)

Dependencies

luci-base: LuCI framework
rpcd: Remote Procedure Call daemon
netifyd: Deep Packet Inspection engine
crowdsec: Threat intelligence and blocking
jq: JSON processing
jsonfilter: UCI-compatible JSON filtering

Installation

Build the package:

cd /path/to/openwrt
make package/secubox/luci-app-secubox-security-threats/compile

Install on router:

opkg install luci-app-secubox-security-threats_*.ipk

Restart services:

/etc/init.d/rpcd restart
/etc/init.d/uhttpd restart

Usage

Access Dashboard

Navigate to: Admin → SecuBox → Security → Threat Monitor → Dashboard

Configure Auto-block Rules

Edit /etc/config/secubox_security_threats:

config block_rule 'my_rule'
    option name 'Block Malware'
    option enabled '1'
    option threat_types 'malware'
    option duration '24h'
    option threshold '60'

Apply changes:

uci commit secubox_security_threats

Manual Blocking

Via dashboard:

Click "Block" button next to threat
Confirm action
IP will be blocked via CrowdSec

Via CLI:

ubus call luci.secubox-security-threats block_threat '{"ip":"192.168.1.100","duration":"4h","reason":"Test"}'

Whitelist Host

ubus call luci.secubox-security-threats whitelist_host '{"ip":"192.168.1.100","reason":"Admin workstation"}'

Risk Scoring Algorithm

Base Score (0-50): risk_count × 10 (capped)

Severity Weights:

Malware indicators (MALICIOUS_JA3, DGA): +20
Web attacks (SQL injection, XSS): +15
Network anomalies (RISKY_ASN, DNS tunneling): +10
Protocol threats (BitTorrent, Mining): +5

CrowdSec Correlation:

Active decision: +30

Severity Levels:

Critical: ≥80
High: 60-79
Medium: 40-59
Low: <40

Threat Categories

malware: Malicious JA3, DGA domains, suspicious entropy
web_attack: SQL injection, XSS, RCE attempts
anomaly: DNS tunneling, risky ASNs, unidirectional traffic
protocol: BitTorrent, mining, Tor, unauthorized protocols
tls_issue: Certificate problems, weak ciphers

Testing

Backend (ubus CLI)

# Test status
ubus call luci.secubox-security-threats status

# Get active threats
ubus call luci.secubox-security-threats get_active_threats

# Test blocking
ubus call luci.secubox-security-threats block_threat '{"ip":"192.168.1.100","duration":"4h","reason":"Test"}'

# Verify in CrowdSec
cscli decisions list

Frontend

Navigate to dashboard in LuCI
Verify stats cards display
Verify threats table populates
Test "Block" button
Check real-time polling (10s refresh)

Troubleshooting

No threats detected

Check if netifyd is running: ps | grep netifyd
Verify netifyd data: cat /var/run/netifyd/status.json
Enable netifyd risk detection in config

Auto-blocking not working

Check if auto-blocking is enabled: uci get secubox_security_threats.global.auto_block_enabled
Verify block rules are enabled: uci show secubox_security_threats
Check logs: logread | grep security-threats

CrowdSec integration issues

Check if CrowdSec is running: ps | grep crowdsec
Test cscli: cscli version
Verify permissions: ls -l /usr/bin/cscli

Files

Backend:

/usr/libexec/rpcd/luci.secubox-security-threats - RPCD backend (mode 755)
/etc/config/secubox_security_threats - UCI configuration

Frontend:

/www/luci-static/resources/secubox-security-threats/api.js - API wrapper
/www/luci-static/resources/view/secubox-security-threats/dashboard.js - Dashboard view

Configuration:

/usr/share/luci/menu.d/luci-app-secubox-security-threats.json - Menu
/usr/share/rpcd/acl.d/luci-app-secubox-security-threats.json - Permissions

Runtime:

/tmp/secubox-threats-history.json - Threat history (volatile)

License

Apache-2.0

Authors

CyberMind.fr - Gandalf

Version

1.0.0 (2026-01-07)

README.md Unescape Escape