CyberMind-FR
b542ac7d3c
Changes: - Enable WAF auto-ban by default (sensitivity: moderate, min_severity: high) - Add whitelist for common safe IPs (localhost, router) - Add browser cache busting via version parameter in CSS loads - Document deployment scripts in secubox-tools/README.md - Create CVE Layer 7 architecture documentation WAF auto-ban now active with: - 3 threats within 5 minutes triggers ban - 4-hour ban duration - Critical CVEs (Log4Shell, SQLi, CMDi) ban immediately Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
12 KiB
12 KiB
SecuBox CVE Layer 7 Defense System
Version: 1.0.0 Last Updated: 2026-02-28
Overview
The CVE Layer 7 innovation combines three defense pillars for comprehensive web application security:
- mitmproxy WAF - Real-time threat pattern detection (70+ CVE patterns)
- CrowdSec Scenarios - Intelligent ban decisions with adaptive thresholds
- CVE Triage Agent - AI-powered vulnerability assessment and remediation
Architecture
┌─────────────────────────────────────────────────────────────────┐
│ LAYER 7: Request Processing │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ HAProxy (port 8080) → mitmproxy (MITM inspection) │ │
│ │ ↓ │ │
│ │ secubox_analytics.py │ │
│ │ (70+ CVE patterns, sub-100ms detection) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ↓ │
│ [Decision Tree] │
│ ┌────────────────┬─────────────┬──────────────┐ │
│ ↓ ↓ ↓ ↓ │
│ [Allow] [Log Threat] [Auto-Ban] [Alert] │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ THREAT LOG PIPELINE │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ Log Files: │ │
│ │ • /var/log/secubox-access.log (all requests) │ │
│ │ • /data/threats.log (CrowdSec parser input) │ │
│ │ • /data/autoban-requests.log (ban decisions) │ │
│ │ • /tmp/secubox-subdomain-metrics.json (analytics) │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ↓ │
│ [CrowdSec Engine] │
│ 8 mitmproxy-specific scenarios │
│ ┌─────────────────┬──────────────┬──────────┐ │
│ ↓ ↓ ↓ ↓ │
│ [CVE] [Scanner] [SSRF] [Shell] │
│ 30m ban 10-30m ban 10m ban 60m ban │
└─────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────┐
│ RESPONSE & REMEDIATION │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ CrowdSec Firewall Bouncer: │ │
│ │ • IP-based blocks (iptables/nftables rules) │ │
│ │ • Whitelist/blacklist integration │ │
│ └──────────────────────────────────────────────────────────┘ │
│ ↓ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ CVE Triage Agent (optional): │ │
│ │ • Correlates CVE patterns with NVD data │ │
│ │ • LocalAI impact assessment │ │
│ │ • Patch recommendations │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Component 1: mitmproxy WAF Analytics
Location
- Config:
/etc/config/mitmproxy - Analytics Addon:
/srv/mitmproxy/addons/secubox_analytics.py - WAF Rules:
/srv/mitmproxy/waf-rules.json
CVE Pattern Categories
| Category | Patterns | Severity | Auto-Ban |
|---|---|---|---|
| SQL Injection | 18 | Critical | Yes |
| Command Injection | 16 | Critical | Yes |
| XSS | 17 | High | Threshold |
| Path Traversal | 14 | High | Threshold |
| XXE | 8 | Critical | Yes |
| SSRF | 14 | High | Threshold |
| Log4Shell/JNDI | 8 | Critical | Yes |
| CVE 2021-2025 | 70+ | Critical | Immediate |
| Router Botnet | 20+ | Critical | Immediate |
Supported CVEs (2021-2025)
2024-2025:
- CVE-2025-15467 (OpenSSL CMS stack overflow)
- CVE-2025-0282 (Ivanti Connect Secure)
- CVE-2024-3400 (PAN-OS GlobalProtect)
- CVE-2024-21887 (Ivanti Connect Secure)
- CVE-2024-1708/1709 (ScreenConnect)
- CVE-2024-27198 (TeamCity)
- CVE-2024-21762 (Fortinet FortiOS)
2023:
- CVE-2023-34362 (MOVEit SQL injection)
- CVE-2023-22515 (Confluence privilege escalation)
- CVE-2023-46747 (F5 BIG-IP)
- CVE-2023-4966 (Citrix Bleed)
2021-2022:
- CVE-2021-44228 (Log4Shell)
- CVE-2021-41773 (Apache path traversal)
- CVE-2022-22965 (Spring4Shell)
- CVE-2022-1388 (F5 BIG-IP)
Auto-Ban Configuration
config autoban 'autoban'
option enabled '1'
option ban_duration '4h'
option min_severity 'high'
option sensitivity 'moderate'
option moderate_threshold '3'
option moderate_window '300'
option whitelist '127.0.0.1,192.168.255.1'
Sensitivity Levels:
- Aggressive: Immediate ban on first critical threat
- Moderate: Ban after 3 threats within 5 minutes (default)
- Permissive: Ban after 5 threats within 1 hour
Component 2: CrowdSec Scenarios
Location
- Scenarios:
/etc/crowdsec/scenarios/ - Parser:
/etc/crowdsec/parsers/s01-parse/secubox-mitmproxy.yaml - Acquisition:
/etc/crowdsec/acquis.d/secubox-mitmproxy.yaml
mitmproxy Threat Scenarios
| Scenario | Type | Trigger | Ban Duration |
|---|---|---|---|
secubox/mitmproxy-attack |
Leaky | SQLi, XSS, CMDi, LFI, XXE | 15m |
secubox/mitmproxy-cve |
Trigger | CVE + critical severity | 30m |
secubox/mitmproxy-botscan |
Leaky | Vulnerability scanners | 30m |
secubox/mitmproxy-shell-hunter |
Trigger | Shell/backdoor hunting | 60m |
secubox/mitmproxy-config-hunter |
Leaky | Config file hunting | 30m |
secubox/mitmproxy-scanner |
Leaky | Admin/env scanning | 10m |
secubox/mitmproxy-ssrf |
Leaky | SSRF attempts | 10m |
secubox/mitmproxy-suspicious-ua |
Leaky | Suspicious User-Agent | 15m |
Log Format (JSON)
{
"timestamp": "2026-02-28T12:00:00Z",
"source_ip": "1.2.3.4",
"host": "example.com",
"request": "GET /../../../etc/passwd HTTP/1.1",
"threat_type": "path_traversal",
"pattern": "../../../etc/passwd",
"severity": "critical",
"cve": "",
"category": "lfi",
"is_bot": true,
"bot_type": "vulnerability_scanner",
"bot_behavior": "config_hunting"
}
Component 3: CVE Triage Agent
Location
- Config:
/etc/config/cve-triage - CLI:
/usr/bin/cve-triage - Library:
/usr/lib/cve-triage/
Workflow
-
Collector (
collector.sh):- Gathers installed packages (opkg, dpkg, apk)
- Scans LXC containers and Docker images
- Cross-references with NVD API
-
Analyzer (
analyzer.sh):- CVSS-based severity scoring
- LocalAI impact assessment (optional)
- Attack vector analysis
-
Recommender (
recommender.sh):- Patch recommendations
- Mitigation strategies
- Monitoring guidance
-
Applier (
applier.sh):- Queue-based approval workflow
- Auto-apply option (configurable)
- Rollback capability
Configuration
config cve-triage 'main'
option enabled '1'
option scan_interval '3600'
option min_severity 'medium'
option auto_apply_patches '0'
option localai_analysis '1'
Integration Points
mitmproxy → CrowdSec
- mitmproxy writes JSON threat logs to
/data/threats.log - CrowdSec
secubox-mitmproxyparser extracts fields - 8 scenarios evaluate severity and decide ban duration
- Firewall bouncer applies IP blocks
mitmproxy → CVE Triage
- CVE field from detection passed to triage agent
- Triage correlates with NVD API
- Generates remediation recommendations
- Updates auto-ban sensitivity if needed
Auto-Ban Feedback Loop
- High-severity CVE attempts trigger immediate bans
- Repeated attempts from same IP escalate ban duration
- Whitelist/WireGuard endpoint protection prevents false positives
- CrowdSec community blocklist integration
File Locations
| Component | Path | Purpose |
|---|---|---|
| WAF Config | /etc/config/mitmproxy |
Auto-ban settings |
| WAF Rules | /srv/mitmproxy/waf-rules.json |
Pattern definitions |
| Analytics | /srv/mitmproxy/addons/secubox_analytics.py |
Detection engine |
| Threats Log | /data/threats.log |
CrowdSec input |
| Access Log | /var/log/secubox-access.log |
All requests |
| Auto-ban Log | /data/autoban-requests.log |
Ban decisions |
| Scenarios | /etc/crowdsec/scenarios/ |
CrowdSec rules |
| CVE Triage | /usr/lib/cve-triage/ |
Agent library |
Metrics & Monitoring
Subdomain Metrics
Real-time JSON export: /tmp/secubox-subdomain-metrics.json
- Request counts per domain
- Threat type distribution
- Top 20 URIs per subdomain
- Country-based statistics
Rate Limiting
RATE_LIMITS = {
'path_scan': {'window': 60, 'max': 20},
'auth_attempt': {'window': 60, 'max': 10},
'bot_request': {'window': 60, 'max': 30},
'normal': {'window': 60, 'max': 100},
}
Commands
View active threats
# Recent threats
tail -f /data/threats.log | jq
# Auto-ban log
cat /data/autoban-requests.log
# CrowdSec decisions
cscli decisions list
Manual ban/unban
# Ban IP for 4 hours
cscli decisions add --ip 1.2.3.4 --duration 4h --reason "Manual ban"
# Remove ban
cscli decisions delete --ip 1.2.3.4
Check status
# mitmproxy WAF status
mitmproxyctl status
# CrowdSec status
cscli metrics
# CVE Triage status
cve-triage status