From 3946a84e58b5d65969384bcf097c878560e7b8d0 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Mar 2026 23:01:07 -0500
Subject: [PATCH] CRITICAL FIX: Adaptive threshold based on repeated detection
 history
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Implement time-based learning: IPs detected multiple times with SYN activity
should have lower thresholds on subsequent detections.

Logic:
- First detection (hits=1): threshold as configured
- Second detection (hits=2): threshold -= 1 (easier to detect again)
- Third+ detection (hits=3+): threshold -= 2 (very suspicious if pattern repeats)

This catches persistent attackers that probe at low levels repeatedly.
Previous behavior: reset tracking after each scan, preventing pattern recognition.
New behavior: track hits across scans, recognize repeat offenders.

Example: IP with 4 connections detected twice
- First time: threshold=3, count=4 > 3 → detected ✓
- Second time: threshold=3-1=2, count=4 > 2 → detected again ✓
- Third time: threshold=3-2=1, count=4 > 1 → caught even at 2 connections ✓

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/security/live-attack-monitor-v2.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 699ed37..72c04c1 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2619,6 +2619,17 @@ monitor_network_attacks() {
                         # Minimum threshold of 3 to prevent false positives on busy web servers
                         [ "$threshold" -lt 3 ] && threshold=3
 
+                        # CRITICAL FIX: Adaptive threshold based on detection history
+                        # An IP detected multiple times with SYN activity is more likely an attacker
+                        # Lower threshold for repeat offenders to catch persistent attacks
+                        if [ "${hits:-0}" -ge 3 ]; then
+                            threshold=$((threshold - 2))  # Seen 3+ times: lower threshold significantly
+                            [ "$threshold" -lt 1 ] && threshold=1
+                        elif [ "${hits:-0}" -ge 2 ]; then
+                            threshold=$((threshold - 1))  # Seen 2 times: lower threshold slightly
+                            [ "$threshold" -lt 2 ] && threshold=2
+                        fi
+
                         if [ "$count" -gt "$threshold" ]; then
                             # Only process once per detection window
                             if [ -z "${ALERT_SENT[$ip]}" ]; then