CRITICAL FIX: Adaptive threshold based on repeated detection history
Implement time-based learning: IPs detected multiple times with SYN activity should have lower thresholds on subsequent detections. Logic: - First detection (hits=1): threshold as configured - Second detection (hits=2): threshold -= 1 (easier to detect again) - Third+ detection (hits=3+): threshold -= 2 (very suspicious if pattern repeats) This catches persistent attackers that probe at low levels repeatedly. Previous behavior: reset tracking after each scan, preventing pattern recognition. New behavior: track hits across scans, recognize repeat offenders. Example: IP with 4 connections detected twice - First time: threshold=3, count=4 > 3 → detected ✓ - Second time: threshold=3-1=2, count=4 > 2 → detected again ✓ - Third time: threshold=3-2=1, count=4 > 1 → caught even at 2 connections ✓ Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
@@ -2619,6 +2619,17 @@ monitor_network_attacks() {
|
||||
# Minimum threshold of 3 to prevent false positives on busy web servers
|
||||
[ "$threshold" -lt 3 ] && threshold=3
|
||||
|
||||
# CRITICAL FIX: Adaptive threshold based on detection history
|
||||
# An IP detected multiple times with SYN activity is more likely an attacker
|
||||
# Lower threshold for repeat offenders to catch persistent attacks
|
||||
if [ "${hits:-0}" -ge 3 ]; then
|
||||
threshold=$((threshold - 2)) # Seen 3+ times: lower threshold significantly
|
||||
[ "$threshold" -lt 1 ] && threshold=1
|
||||
elif [ "${hits:-0}" -ge 2 ]; then
|
||||
threshold=$((threshold - 1)) # Seen 2 times: lower threshold slightly
|
||||
[ "$threshold" -lt 2 ] && threshold=2
|
||||
fi
|
||||
|
||||
if [ "$count" -gt "$threshold" ]; then
|
||||
# Only process once per detection window
|
||||
if [ -z "${ALERT_SENT[$ip]}" ]; then
|
||||
|
||||
Reference in New Issue
Block a user