gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
fd54253f66
secubox-openwrt/package/secubox/secubox-app-crowdsec-custom/files/acquis.d/secubox-mitmproxy.yaml
CyberMind-FR 7b67b0329a feat(mitmproxy): Integrate threat detection with CrowdSec for auto-banning 
- Change analytics addon to write threats to /data/threats.log (bind-mounted to host)
- Add CrowdSec acquisition config to read from /srv/mitmproxy/threats.log
- Add parser for mitmproxy JSON threat logs with source_ip in Meta
- Add scenarios for web attacks, scanners, SSRF, and CVE exploits
- Update RPCD to read alerts from host-visible path without lxc-attach

This enables automatic IP banning when mitmproxy detects:
- SQL injection, XSS, command injection (capacity: 3, ban: 15m)
- Path traversal, XXE, LDAP injection, Log4Shell
- Aggressive web scanning (capacity: 10, ban: 10m)
- SSRF attempts from external IPs (capacity: 5, ban: 10m)
- Known CVE exploits (immediate trigger, ban: 30m)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-31 18:49:14 +01:00

11 lines
342 B
YAML
Raw Blame History

# CrowdSec acquisition for mitmproxy threat logs
# Monitors threats detected by SecuBox mitmproxy analytics addon
# The analytics addon runs inside LXC container and writes to /data/threats.log
# which is bind-mounted to /srv/mitmproxy/threats.log on the host
source: file
filenames:
- /srv/mitmproxy/threats.log
labels:
type: mitmproxy
Reference in New Issue View Git Blame Copy Permalink