diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index f506032..85b7bf4 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2744,6 +2744,13 @@ monitor_network_attacks() { http_attack_bonus=25 # Already known attacker, very suspicious fi + # CRITICAL FIX: Declare variables before skip_scoring block + # Bug: multi_vector and geo_bonus were declared inside skip_scoring but used outside + # When skip_scoring=1, local vars never initialized, causing undefined variable in intel_tags logic + # Fix: Move declarations outside skip_scoring so they're always available + local multi_vector=0 + local geo_bonus=0 + # Only do scoring/tracking if not whitelisted if [ "$skip_scoring" -eq 0 ]; then # Record attack intelligence @@ -2852,7 +2859,7 @@ monitor_network_attacks() { # Bug: was trying to read from individual ip_* file which may not exist # If this is first SYN detection of an IP with prior HTTP attacks, file won't exist # Result: multi_vector stays 0, missing the sophisticated attacker indicator - local multi_vector=0 + # Note: multi_vector declared outside skip_scoring block (line ~2755) for scope if [[ "$attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then multi_vector=1 conn_bonus=$((conn_bonus + 30)) # Multi-vector = very dangerous @@ -2882,7 +2889,7 @@ monitor_network_attacks() { conn_bonus=$((conn_bonus + http_attack_bonus)) # Geographic clustering bonus - local geo_bonus=0 + # Note: geo_bonus declared outside skip_scoring block (line ~2755) for scope if [ -f "$TEMP_DIR/threat_enrich_${ip//\./_}" ]; then local threat_data=$(cat "$TEMP_DIR/threat_enrich_${ip//\./_}" 2>/dev/null || echo "") # Bash IFS field splitting (100x faster than cut)