diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index d148a20..9a5b88d 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2478,6 +2478,61 @@ monitor_network_attacks() { conn_bonus=$((conn_bonus + 8)) # Accelerating fi + # SYN FLOOD SPECIFIC INTELLIGENCE METRICS + + # 1. Pure SYN attacker (no ESTABLISHED connections) + # Legitimate users always have some established connections + # Pure SYN = 100% attack traffic + if [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ]; then + conn_bonus=$((conn_bonus + 20)) # Pure SYN flood, no legitimate traffic + fi + + # 2. SYN/ESTABLISHED ratio detection + # Normal: More ESTABLISHED than SYN_RECV + # Attacker: More SYN_RECV than ESTABLISHED (or 0 established) + if [ "$established_conns" -gt 0 ]; then + # Calculate ratio (multiply by 10 for integer math) + local ratio=$((count * 10 / established_conns)) + if [ "$ratio" -ge 30 ]; then + conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious + elif [ "$ratio" -ge 20 ]; then + conn_bonus=$((conn_bonus + 10)) # 2:1 ratio = questionable + fi + fi + + # 3. Connection persistence without completion + # Check if IP has been seen before with SYN but never completed + if [ "${hits:-0}" -ge 2 ] && [ "$established_conns" -eq 0 ]; then + conn_bonus=$((conn_bonus + 15)) # Repeated SYN, never establishes = bot + fi + + # 4. Spoofed source detection (high SYN, low other traffic) + # Check if IP has ANY other traffic (HTTP requests, DNS, etc) + local has_other_traffic=0 + if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then + local ip_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "") + # If has HTTP attacks, not spoofed + if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then + has_other_traffic=1 + fi + fi + + # High SYN but no other traffic = likely spoofed source + if [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && [ "${hits:-0}" -ge 2 ]; then + conn_bonus=$((conn_bonus + 20)) # Spoofed source IP + fi + + # 5. Single-target focus detection + # Botnet usually targets one service/port + # Check if connections are all to same port (80/443) + local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l) + [ -z "$target_ports" ] && target_ports=0 + if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then + conn_bonus=$((conn_bonus + 10)) # Single port = targeted attack + elif [ "$target_ports" -le 2 ] && [ "$count" -ge 15 ]; then + conn_bonus=$((conn_bonus + 5)) # 1-2 ports = focused attack + fi + # Multi-vector attack detection: Check if IP also has HTTP attacks # This indicates sophisticated attacker (SYN flood + application layer) local multi_vector=0 @@ -2601,7 +2656,13 @@ monitor_network_attacks() { [ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN " [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO " - echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" + # SYN-specific intelligence tags + [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ] && intel_tags="${intel_tags}PURE-SYN " + [ "${ratio:-0}" -ge 30 ] && intel_tags="${intel_tags}BAD-RATIO " + [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && intel_tags="${intel_tags}SPOOFED " + [ "${target_ports:-0}" -eq 1 ] && [ "$count" -ge 8 ] && intel_tags="${intel_tags}TARGETED " + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count Est:$established_conns | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" fi else # Reset alert if connections drop below threshold diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index d148a20..9a5b88d 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -2478,6 +2478,61 @@ monitor_network_attacks() { conn_bonus=$((conn_bonus + 8)) # Accelerating fi + # SYN FLOOD SPECIFIC INTELLIGENCE METRICS + + # 1. Pure SYN attacker (no ESTABLISHED connections) + # Legitimate users always have some established connections + # Pure SYN = 100% attack traffic + if [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ]; then + conn_bonus=$((conn_bonus + 20)) # Pure SYN flood, no legitimate traffic + fi + + # 2. SYN/ESTABLISHED ratio detection + # Normal: More ESTABLISHED than SYN_RECV + # Attacker: More SYN_RECV than ESTABLISHED (or 0 established) + if [ "$established_conns" -gt 0 ]; then + # Calculate ratio (multiply by 10 for integer math) + local ratio=$((count * 10 / established_conns)) + if [ "$ratio" -ge 30 ]; then + conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious + elif [ "$ratio" -ge 20 ]; then + conn_bonus=$((conn_bonus + 10)) # 2:1 ratio = questionable + fi + fi + + # 3. Connection persistence without completion + # Check if IP has been seen before with SYN but never completed + if [ "${hits:-0}" -ge 2 ] && [ "$established_conns" -eq 0 ]; then + conn_bonus=$((conn_bonus + 15)) # Repeated SYN, never establishes = bot + fi + + # 4. Spoofed source detection (high SYN, low other traffic) + # Check if IP has ANY other traffic (HTTP requests, DNS, etc) + local has_other_traffic=0 + if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then + local ip_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "") + # If has HTTP attacks, not spoofed + if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then + has_other_traffic=1 + fi + fi + + # High SYN but no other traffic = likely spoofed source + if [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && [ "${hits:-0}" -ge 2 ]; then + conn_bonus=$((conn_bonus + 20)) # Spoofed source IP + fi + + # 5. Single-target focus detection + # Botnet usually targets one service/port + # Check if connections are all to same port (80/443) + local target_ports=$(ss -tn state syn-recv src "$ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l) + [ -z "$target_ports" ] && target_ports=0 + if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then + conn_bonus=$((conn_bonus + 10)) # Single port = targeted attack + elif [ "$target_ports" -le 2 ] && [ "$count" -ge 15 ]; then + conn_bonus=$((conn_bonus + 5)) # 1-2 ports = focused attack + fi + # Multi-vector attack detection: Check if IP also has HTTP attacks # This indicates sophisticated attacker (SYN flood + application layer) local multi_vector=0 @@ -2601,7 +2656,13 @@ monitor_network_attacks() { [ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN " [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO " - echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" + # SYN-specific intelligence tags + [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ] && intel_tags="${intel_tags}PURE-SYN " + [ "${ratio:-0}" -ge 30 ] && intel_tags="${intel_tags}BAD-RATIO " + [ "$has_other_traffic" -eq 0 ] && [ "$count" -ge 10 ] && intel_tags="${intel_tags}SPOOFED " + [ "${target_ports:-0}" -eq 1 ] && [ "$count" -ge 8 ] && intel_tags="${intel_tags}TARGETED " + + echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count Est:$established_conns | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" fi else # Reset alert if connections drop below threshold