CyberMind-FR
c69ae43961
InterceptoR Insider WAF (6th pillar):
- RPCD: get_insider_waf_status() tracking LAN client threats
- Dashboard: 🔒 Insider WAF card with threat stats
- CrowdSec scenarios for insider threats:
- C2 beacon, exfiltration, DNS tunneling, lateral movement
- Cryptominer, IoT botnet, suspicious TLDs, high volume
DDoS Protection Hardening:
- Config Advisor: 8 DDoS checks (SYN cookies, conntrack, RP filter,
ICMP rate, CrowdSec http-dos, HAProxy maxconn, mitmproxy WAF, Vortex)
- ANSSI rules: New "ddos" category with remediation steps
- Documentation: DOCS/DDOS-PROTECTION.md with full guide
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
160 lines
4.6 KiB
YAML
160 lines
4.6 KiB
YAML
# CrowdSec scenarios for SecuBox Insider WAF
|
|
# Detects malicious activity from LAN clients (compromised devices, malware, insider threats)
|
|
|
|
# Detect C2 beacon attempts from internal hosts
|
|
type: leaky
|
|
name: secubox/insider-c2-beacon
|
|
description: "Detect C2 beacon-like activity from internal hosts"
|
|
filter: |
|
|
evt.Meta.log_type == 'mitmproxy_threat' &&
|
|
evt.Meta.source_ip startsWith '192.168.' ||
|
|
evt.Meta.source_ip startsWith '10.' ||
|
|
evt.Meta.source_ip matches '^172\.(1[6-9]|2[0-9]|3[01])\.' &&
|
|
evt.Parsed.pattern in ['c2_beacon', 'suspicious_periodic', 'encoded_payload', 'reverse_shell']
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 3
|
|
leakspeed: 300s
|
|
blackhole: 60m
|
|
labels:
|
|
service: insider_waf
|
|
type: c2_beacon
|
|
remediation: true
|
|
scope: lan
|
|
---
|
|
# Detect data exfiltration attempts from LAN
|
|
type: leaky
|
|
name: secubox/insider-exfiltration
|
|
description: "Detect data exfiltration attempts from internal hosts"
|
|
filter: |
|
|
evt.Meta.log_type == 'mitmproxy_threat' &&
|
|
evt.Meta.source_ip startsWith '192.168.' ||
|
|
evt.Meta.source_ip startsWith '10.' &&
|
|
(evt.Parsed.pattern == 'large_upload' ||
|
|
evt.Parsed.pattern == 'base64_exfil' ||
|
|
evt.Parsed.pattern == 'dns_exfil' ||
|
|
evt.Parsed.content_length > 10485760)
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 2
|
|
leakspeed: 600s
|
|
blackhole: 120m
|
|
labels:
|
|
service: insider_waf
|
|
type: data_exfiltration
|
|
remediation: true
|
|
scope: lan
|
|
---
|
|
# Detect DNS tunneling from internal hosts
|
|
type: leaky
|
|
name: secubox/insider-dns-tunnel
|
|
description: "Detect DNS tunneling/exfiltration from internal hosts"
|
|
filter: |
|
|
evt.Meta.log_type == 'dns_guard' &&
|
|
evt.Parsed.type in ['tunneling', 'dga', 'suspicious_subdomain'] &&
|
|
evt.Meta.source_ip startsWith '192.168.' ||
|
|
evt.Meta.source_ip startsWith '10.'
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 5
|
|
leakspeed: 120s
|
|
blackhole: 30m
|
|
labels:
|
|
service: insider_waf
|
|
type: dns_tunneling
|
|
remediation: true
|
|
scope: lan
|
|
---
|
|
# Detect lateral movement attempts
|
|
type: leaky
|
|
name: secubox/insider-lateral-movement
|
|
description: "Detect lateral movement attempts within LAN"
|
|
filter: |
|
|
evt.Meta.log_type == 'mitmproxy_threat' &&
|
|
evt.Meta.source_ip startsWith '192.168.' &&
|
|
evt.Parsed.dest_ip startsWith '192.168.' &&
|
|
evt.Parsed.pattern in ['port_scan', 'smb_enum', 'ssh_scan', 'admin_scan', 'network_recon']
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 10
|
|
leakspeed: 60s
|
|
blackhole: 30m
|
|
labels:
|
|
service: insider_waf
|
|
type: lateral_movement
|
|
remediation: true
|
|
scope: lan
|
|
---
|
|
# Detect cryptominer activity from LAN
|
|
type: leaky
|
|
name: secubox/insider-cryptominer
|
|
description: "Detect cryptominer activity from internal hosts"
|
|
filter: |
|
|
evt.Meta.log_type == 'mitmproxy_threat' &&
|
|
evt.Meta.source_ip startsWith '192.168.' ||
|
|
evt.Meta.source_ip startsWith '10.' &&
|
|
(evt.Parsed.pattern == 'mining_pool' ||
|
|
evt.Parsed.dest_port in ['3333', '4444', '5555', '14433', '14444'] ||
|
|
evt.Parsed.host matches '.*(pool|mine|xmr|eth|btc).*')
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 2
|
|
leakspeed: 300s
|
|
blackhole: 1440m
|
|
labels:
|
|
service: insider_waf
|
|
type: cryptominer
|
|
remediation: true
|
|
scope: lan
|
|
---
|
|
# Detect IoT botnet activity
|
|
type: leaky
|
|
name: secubox/insider-iot-botnet
|
|
description: "Detect IoT botnet C2 activity from internal devices"
|
|
filter: |
|
|
evt.Meta.log_type == 'mitmproxy_threat' &&
|
|
evt.Meta.source_ip startsWith '192.168.' &&
|
|
(evt.Parsed.user_agent matches '.*Mirai.*|.*Gafgyt.*|.*BotenaGo.*|.*Mozi.*' ||
|
|
evt.Parsed.pattern in ['iot_exploit', 'telnet_scan', 'mirai_pattern'])
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 1
|
|
leakspeed: 60s
|
|
blackhole: 1440m
|
|
labels:
|
|
service: insider_waf
|
|
type: iot_botnet
|
|
remediation: true
|
|
scope: lan
|
|
---
|
|
# Detect suspicious outbound to known bad TLDs
|
|
type: leaky
|
|
name: secubox/insider-bad-tld
|
|
description: "Detect suspicious outbound to high-risk TLDs from internal hosts"
|
|
filter: |
|
|
evt.Meta.log_type == 'mitmproxy_threat' &&
|
|
evt.Meta.source_ip startsWith '192.168.' ||
|
|
evt.Meta.source_ip startsWith '10.' &&
|
|
evt.Parsed.host matches '.*\.(xyz|top|club|work|date|bid|download|racing|science|party|gq|cf|tk|ml|ga)$'
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 20
|
|
leakspeed: 300s
|
|
blackhole: 15m
|
|
labels:
|
|
service: insider_waf
|
|
type: suspicious_tld
|
|
remediation: true
|
|
scope: lan
|
|
---
|
|
# Detect unusual high-volume outbound from single LAN host
|
|
type: leaky
|
|
name: secubox/insider-high-volume
|
|
description: "Detect unusual high-volume outbound traffic from single LAN host"
|
|
filter: |
|
|
evt.Meta.log_type == 'mitmproxy_threat' &&
|
|
evt.Meta.source_ip startsWith '192.168.' &&
|
|
evt.Parsed.bytes_out > 104857600
|
|
groupby: evt.Meta.source_ip
|
|
capacity: 5
|
|
leakspeed: 3600s
|
|
blackhole: 30m
|
|
labels:
|
|
service: insider_waf
|
|
type: high_volume_outbound
|
|
remediation: true
|
|
scope: lan
|