diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 0f9efd8..2b69793 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2586,6 +2586,14 @@ monitor_network_attacks() { # Track connection count for this IP CONNECTION_COUNT[$ip]=$count + # Load IP's persistent data FIRST (before threshold calculation) + # This gets the current lifetime hits count from ip_data + local current_data="0|0|human||0|0" + if [ -f "$TEMP_DIR/ip_data" ]; then + current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0") + fi + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" + # Dynamic threshold based on attack severity + momentum: # CRITICAL FIX: Changed Tier 0 threshold from 20 to 3 # Bug: Tier 0 (< 75 total SYN) had threshold=20, preventing detection of distributed attacks @@ -2644,16 +2652,8 @@ monitor_network_attacks() { if [ -z "${ALERT_SENT[$ip]}" ]; then ALERT_SENT[$ip]=1 - # Load IP reputation from PERSISTENT central database (ip_data) - # This preserves hits across monitor restarts for historical tracking - local current_data="0|0|human||0|0" - if [ -f "$TEMP_DIR/ip_data" ]; then - # Extract this IP's data from central database - current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0") - fi - IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" - - # Increment hits (persistent across monitor restarts) + # Data already loaded earlier (before threshold calculation) + # Just increment hits (persistent across monitor restarts) # This is the total lifetime detection count for this IP hits=$((hits + 1))