From 0fec5f1081ecca76c6b57670aee273a1e41a512a Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 6 Mar 2026 23:05:52 -0500 Subject: [PATCH] CRITICAL FIX: Load persistent IP data BEFORE threshold calculation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bug: Threshold calculation used undefined 'hits' variable. Code tried to use lifetime_hits at line 2622, but hits wasn't loaded until line 2652. Result: Adaptive threshold never actually worked - always used default threshold. Fix: Load IP data (score|hits|bot_type|attacks|ban_count|rep_score) from persistent ip_data file BEFORE calculating threshold, so we have accurate lifetime hit count. Now the flow is: 1. Load persistent IP data from ip_data (includes current lifetime hits) 2. Calculate threshold based on CURRENT lifetime hits 3. Check if count > threshold 4. If yes, increment hits and process 5. Write back to ip_data with incremented hits Example: IP with 5 detections in 3 minutes - Detection 1: hits=1, threshold=3, needs 3+ connections - Detection 2: hits=2, threshold=2, needs 2+ connections - Detection 3: hits=3, threshold=2, needs 2+ connections - Detection 4: hits=4, threshold=2, needs 2+ connections - Detection 5: hits=5, threshold=1, needs 1+ connection ✓ If IP has 2+ connections on each scan, detected on scans 2-5+. If IP has 1+ connection on each scan, detected on scan 5+ (or earlier if more connections). Co-Authored-By: Claude Haiku 4.5 --- modules/security/live-attack-monitor-v2.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 0f9efd8..2b69793 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2586,6 +2586,14 @@ monitor_network_attacks() { # Track connection count for this IP CONNECTION_COUNT[$ip]=$count + # Load IP's persistent data FIRST (before threshold calculation) + # This gets the current lifetime hits count from ip_data + local current_data="0|0|human||0|0" + if [ -f "$TEMP_DIR/ip_data" ]; then + current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0") + fi + IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" + # Dynamic threshold based on attack severity + momentum: # CRITICAL FIX: Changed Tier 0 threshold from 20 to 3 # Bug: Tier 0 (< 75 total SYN) had threshold=20, preventing detection of distributed attacks @@ -2644,16 +2652,8 @@ monitor_network_attacks() { if [ -z "${ALERT_SENT[$ip]}" ]; then ALERT_SENT[$ip]=1 - # Load IP reputation from PERSISTENT central database (ip_data) - # This preserves hits across monitor restarts for historical tracking - local current_data="0|0|human||0|0" - if [ -f "$TEMP_DIR/ip_data" ]; then - # Extract this IP's data from central database - current_data=$(grep "^${ip}=" "$TEMP_DIR/ip_data" 2>/dev/null | cut -d= -f2 || echo "0|0|human||0|0") - fi - IFS='|' read -r score hits bot_type attacks ban_count rep_score <<< "$current_data" - - # Increment hits (persistent across monitor restarts) + # Data already loaded earlier (before threshold calculation) + # Just increment hits (persistent across monitor restarts) # This is the total lifetime detection count for this IP hits=$((hits + 1))