History

CyberMind-FR d351ae515a feat(ai): Integrate MCP server and threat-analyst with AI Gateway Route AI requests through the AI Gateway for data sovereignty compliance. Changes: - secubox-mcp-server: ai.sh now prefers AI Gateway (port 4050), falls back to LocalAI - secubox-threat-analyst: UCI config adds ai_gateway_url option - threat-analyst CLI shows both Gateway and LocalAI status - analyzer.sh and appliers.sh use ai_url (Gateway preferred) - README updated with AI Gateway integration section The AI Gateway ensures threat data (IPs, MACs, logs) is classified as LOCAL_ONLY and never leaves the device, supporting ANSSI CSPN compliance. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>		2026-02-28 17:59:20 +01:00
..
files	feat(ai): Integrate MCP server and threat-analyst with AI Gateway	2026-02-28 17:59:20 +01:00
Makefile	feat: Add threat-analyst, dns-guard, mcp-server and DNS provider DynDNS	2026-02-05 08:30:28 +01:00
README.md	feat(ai): Integrate MCP server and threat-analyst with AI Gateway	2026-02-28 17:59:20 +01:00

README.md

SecuBox Threat Analyst

AI-powered autonomous threat analysis and filter generation agent for SecuBox.

Version: 1.0.0 Author: CyberMind devel@CyberMind.fr

Overview

Threat Analyst monitors security events from CrowdSec, mitmproxy, and netifyd DPI, uses LocalAI for intelligent analysis, and automatically generates filter rules for:

mitmproxy: Python filter patterns for HTTP/HTTPS inspection
CrowdSec: Custom scenarios and parsers
WAF: JSON rule sets for web application firewall

Features

Real-time threat correlation across multiple sources
AI-powered attack pattern recognition (via LocalAI)
Automatic rule generation for mitmproxy/CrowdSec/WAF
Approval workflow for generated rules (queue or auto-apply)
LuCI dashboard with AI chat interface
Periodic analysis daemon

Installation

opkg install secubox-threat-analyst
opkg install luci-app-threat-analyst

# Enable and start daemon
uci set threat-analyst.main.enabled=1
uci commit threat-analyst
/etc/init.d/threat-analyst enable
/etc/init.d/threat-analyst start

CLI Commands

threat-analyst status          # Show agent status
threat-analyst run             # Run single analysis cycle
threat-analyst daemon          # Run as background daemon
threat-analyst analyze         # Analyze threats (no rule generation)
threat-analyst generate        # Generate all rules
threat-analyst gen-mitmproxy   # Generate mitmproxy filters only
threat-analyst gen-crowdsec    # Generate CrowdSec scenario only
threat-analyst gen-waf         # Generate WAF rules only
threat-analyst list-pending    # List pending rules
threat-analyst approve <id>    # Approve pending rule
threat-analyst reject <id>     # Reject pending rule

Configuration

UCI config: /etc/config/threat-analyst

config threat-analyst 'main'
    option enabled '1'
    option interval '300'           # Analysis interval (seconds)

    # AI Gateway (preferred) - handles data classification & sovereignty
    option ai_gateway_url 'http://127.0.0.1:4050'
    # LocalAI (fallback) - direct connection if gateway unavailable
    option localai_url 'http://127.0.0.1:8081'
    option localai_model 'tinyllama-1.1b-chat-v1.0.Q4_K_M'

    # Auto-apply settings
    option auto_apply_mitmproxy '1' # Auto-apply mitmproxy filters
    option auto_apply_crowdsec '0'  # Queue CrowdSec for approval
    option auto_apply_waf '0'       # Queue WAF for approval

    option min_confidence '70'      # Min AI confidence for rules
    option max_rules_per_cycle '5'  # Max rules per cycle

AI Gateway Integration

Threat Analyst routes AI requests through the AI Gateway for data sovereignty compliance:

Gateway (preferred): Handles data classification and PII sanitization before routing to providers
LocalAI (fallback): Direct on-device inference if gateway is unavailable

The AI Gateway ensures threat data (IPs, MACs, logs) stays LOCAL_ONLY and never leaves the device.

LuCI Dashboard

Navigate to: SecuBox → Security → Threat Analyst

Features:

Status panel: Daemon status, LocalAI status, threat counts
AI Chat: Interactive chat with threat analyst AI
Pending rules: Approve/reject generated rules
Threats table: Recent security events

Data Sources

Source	Type	Path
CrowdSec	Alerts	`cscli alerts list`
mitmproxy	Threats	`/srv/mitmproxy/threats.log`
netifyd	DPI	`/var/run/netifyd/status.json`

Generated Rules

mitmproxy Filters

Output: /etc/mitmproxy/ai_filters.py

Python class with IP blocklist, URL patterns, User-Agent detection.

CrowdSec Scenarios

Output: /etc/crowdsec/scenarios/ai-generated.yaml

YAML scenarios for AI-detected attack patterns.

WAF Rules

Output: /etc/mitmproxy/waf_ai_rules.json

JSON rule sets for SQL injection, XSS, path traversal, scanner detection.

Dependencies

secubox-mcp-server — MCP protocol for AI integration
jsonfilter — JSON parsing
secubox-app-localai — LocalAI inference (recommended)
crowdsec — CrowdSec integration (optional)
mitmproxy — WAF integration (optional)

Architecture

┌─────────────┐  ┌─────────────┐  ┌─────────────┐
│  CrowdSec   │  │  mitmproxy  │  │   netifyd   │
└──────┬──────┘  └──────┬──────┘  └──────┬──────┘
       │                │                │
       └────────────────┼────────────────┘
                        │
                ┌───────▼───────┐
                │   Collector   │
                └───────┬───────┘
                        │
                ┌───────▼───────┐
                │    LocalAI    │
                │   Analysis    │
                └───────┬───────┘
                        │
       ┌────────────────┼────────────────┐
       │                │                │
┌──────▼──────┐  ┌──────▼──────┐  ┌──────▼──────┐
│  mitmproxy  │  │  CrowdSec   │  │    WAF      │
│   filters   │  │  scenarios  │  │   rules     │
└─────────────┘  └─────────────┘  └─────────────┘

License

MIT

Part Of

SecuBox AI Gateway (Couche 2) — v0.18