BUG FIX #10: Variable scope issue with multi_vector and geo_bonus
ISSUE: The intel_tags logic at lines 2991+ uses variables multi_vector and geo_bonus to build threat intelligence tags. But these variables were declared as 'local' INSIDE the skip_scoring conditional block (lines 2855, 2885). PROBLEM: In bash, 'local' variables are function-scoped (not block-scoped like other languages). But declaring them inside a conditional block creates an expectation they're only needed inside that block. When used OUTSIDE the block (after line 2957), they may be undefined if the block wasn't executed (e.g., when skip_scoring=1). BEHAVIOR WITH BUG: 1. When skip_scoring=0 (not whitelisted): - multi_vector and geo_bonus are initialized inside the block - Used outside the block - Works (but relies on block being executed) 2. When skip_scoring=1 (whitelisted): - multi_vector and geo_bonus are NEVER initialized - Used outside the block at lines 2991, 2999+ with undefined values - Undefined variables expand to empty strings in bash - Conditions like [ "$multi_vector" -eq 1 ] silently fail - Intel tags for multi-vector and geo-based threats not generated IMPACT: - Whitelisted IPs: MULTI-VECTOR and HOSTILE tags never shown (even if they should be) - Intel_tags incomplete for whitelisted attacks with geographic/multi-vector indicators - Misleading threat summary (appears less sophisticated than actual) ROOT CAUSE: Variables needed across scopes were declared inside a conditional block instead of before the conditional. FIX: Declare multi_vector=0 and geo_bonus=0 BEFORE the skip_scoring block (line 2748). Remove the duplicate 'local' declarations inside the block. Now both variables: - Are initialized to 0 before the skip_scoring check - Can be safely used in intel_tags logic (lines 2991+) - Work correctly for both whitelisted and non-whitelisted IPs LINES CHANGED: - Added declarations at line ~2755 (before skip_scoring block) - Removed declarations from line 2861 (was in multi_vector logic) - Removed declarations from line 2891 (was in geo_bonus logic) VERIFICATION: - Syntax: ✓ Pass - Scope: ✓ Variables now accessible throughout IP processing - Logic: ✓ Same initialization semantics, better scope management Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
@@ -2744,6 +2744,13 @@ monitor_network_attacks() {
|
||||
http_attack_bonus=25 # Already known attacker, very suspicious
|
||||
fi
|
||||
|
||||
# CRITICAL FIX: Declare variables before skip_scoring block
|
||||
# Bug: multi_vector and geo_bonus were declared inside skip_scoring but used outside
|
||||
# When skip_scoring=1, local vars never initialized, causing undefined variable in intel_tags logic
|
||||
# Fix: Move declarations outside skip_scoring so they're always available
|
||||
local multi_vector=0
|
||||
local geo_bonus=0
|
||||
|
||||
# Only do scoring/tracking if not whitelisted
|
||||
if [ "$skip_scoring" -eq 0 ]; then
|
||||
# Record attack intelligence
|
||||
@@ -2852,7 +2859,7 @@ monitor_network_attacks() {
|
||||
# Bug: was trying to read from individual ip_* file which may not exist
|
||||
# If this is first SYN detection of an IP with prior HTTP attacks, file won't exist
|
||||
# Result: multi_vector stays 0, missing the sophisticated attacker indicator
|
||||
local multi_vector=0
|
||||
# Note: multi_vector declared outside skip_scoring block (line ~2755) for scope
|
||||
if [[ "$attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then
|
||||
multi_vector=1
|
||||
conn_bonus=$((conn_bonus + 30)) # Multi-vector = very dangerous
|
||||
@@ -2882,7 +2889,7 @@ monitor_network_attacks() {
|
||||
conn_bonus=$((conn_bonus + http_attack_bonus))
|
||||
|
||||
# Geographic clustering bonus
|
||||
local geo_bonus=0
|
||||
# Note: geo_bonus declared outside skip_scoring block (line ~2755) for scope
|
||||
if [ -f "$TEMP_DIR/threat_enrich_${ip//\./_}" ]; then
|
||||
local threat_data=$(cat "$TEMP_DIR/threat_enrich_${ip//\./_}" 2>/dev/null || echo "")
|
||||
# Bash IFS field splitting (100x faster than cut)
|
||||
|
||||
Reference in New Issue
Block a user