Integrate bot-analyzer with centralized IP reputation system
Added comprehensive IP reputation tracking to bot analyzer script.
UPDATED:
- modules/security/bot-analyzer.sh
* Now tracks ALL analyzed IPs in centralized reputation database
* Tags IPs with specific attack types discovered:
- SQL_INJECTION: SQL injection attempts
- XSS: Cross-site scripting attempts
- PATH_TRAVERSAL: Directory traversal attempts
- RCE: Remote code execution/shell upload attempts
- BRUTEFORCE: Login bruteforce attempts
- DDOS: Rapid-fire/DDoS patterns
- SCANNER: Suspicious user-agents
* Records hit counts for each IP
* Background processing for performance
* Waits for all updates to complete before finishing
HOW IT WORKS:
When bot analyzer calculates threat scores for each IP, it now:
1. Updates hit count in IP reputation database
2. Tags IP with ALL attack types found (not just one)
3. Runs in background to maintain analysis speed
4. Waits for all background updates before completing
EXAMPLE:
If bot analyzer finds an IP doing:
- SQL injection (15 points)
- XSS attacks (12 points)
- 1000 requests (5 points)
The IP gets:
- Total score: 32/100
- Tags: SQL_INJECTION + XSS
- Hit count: 1000
- Last activity: "Bot analyzer: SQL injection attempts"
This data is then available to ALL other scripts!
BENEFITS:
✓ Bot analysis intelligence shared across entire toolkit
✓ IPs tracked with multiple attack types
✓ Historical data persists between analysis runs
✓ Other scripts can check IP reputation before processing
✓ Build comprehensive threat profile over time
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
cschantz
@@ -27,6 +27,7 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
||||
source "$SCRIPT_DIR/lib/common-functions.sh"
|
||||
source "$SCRIPT_DIR/lib/system-detect.sh"
|
||||
source "$SCRIPT_DIR/lib/user-manager.sh"
|
||||
source "$SCRIPT_DIR/lib/ip-reputation.sh"
|
||||
|
||||
# Default configuration (auto-detected from system)
|
||||
LOG_DIR="${SYS_LOG_DIR:-/var/log/apache2/domlogs}"
|
||||
@@ -925,9 +926,29 @@ calculate_threat_scores() {
|
||||
|
||||
# Only output IPs with score > 0
|
||||
[ $score -gt 0 ] && echo "$score|$ip|$req_count"
|
||||
|
||||
# Track in centralized IP reputation database (background process)
|
||||
if [ $score -gt 0 ]; then
|
||||
(
|
||||
# Update IP with hit count
|
||||
increment_ip_hits "$ip" "$req_count" >/dev/null 2>&1
|
||||
|
||||
# Tag with specific attack types found
|
||||
[ -n "${threat_ips_sqli[$ip]}" ] && flag_ip_attack "$ip" "SQL_INJECTION" 0 "Bot analyzer: SQL injection attempts" >/dev/null 2>&1
|
||||
[ -n "${threat_ips_xss[$ip]}" ] && flag_ip_attack "$ip" "XSS" 0 "Bot analyzer: XSS attempts" >/dev/null 2>&1
|
||||
[ -n "${threat_ips_path[$ip]}" ] && flag_ip_attack "$ip" "PATH_TRAVERSAL" 0 "Bot analyzer: Path traversal" >/dev/null 2>&1
|
||||
[ -n "${threat_ips_rce[$ip]}" ] && flag_ip_attack "$ip" "RCE" 0 "Bot analyzer: RCE/shell upload attempts" >/dev/null 2>&1
|
||||
[ -n "${threat_ips_login[$ip]}" ] && flag_ip_attack "$ip" "BRUTEFORCE" 0 "Bot analyzer: Login bruteforce" >/dev/null 2>&1
|
||||
[ -n "${threat_ips_ddos[$ip]}" ] && flag_ip_attack "$ip" "DDOS" 0 "Bot analyzer: Rapid-fire requests" >/dev/null 2>&1
|
||||
[ -n "${threat_ips_suspicious[$ip]}" ] && flag_ip_attack "$ip" "SCANNER" 0 "Bot analyzer: Suspicious user-agent" >/dev/null 2>&1
|
||||
) &
|
||||
fi
|
||||
done | sort -t'|' -k1 -rn > "$TEMP_DIR/threat_scores.txt"
|
||||
|
||||
print_success "Threat scores calculated"
|
||||
# Wait for background IP reputation updates to complete
|
||||
wait
|
||||
|
||||
print_success "Threat scores calculated and IP reputation updated"
|
||||
}
|
||||
|
||||
#############################################################################
|
||||
|
||||
Reference in New Issue
Block a user