diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 85b7bf4..de3ec5b 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2585,8 +2585,12 @@ monitor_network_attacks() { continue fi - # Track connection count for this IP - CONNECTION_COUNT[$ip]=$count + # CRITICAL FIX: Don't update CONNECTION_COUNT here yet + # Bug: Previously updated array BEFORE using it for escalation detection + # Result: prev_count would equal current count (both just set), escalation detection always false + # Fix: Read previous value first (line 2876), then update after scoring (line 2886+) + # Save old value before updating - needed for escalation detection + local prev_count="${CONNECTION_COUNT[$ip]:-0}" # Load IP's persistent data FIRST (before threshold calculation) # This gets the current lifetime hits count from ip_data @@ -2875,7 +2879,7 @@ monitor_network_attacks() { # Connection escalation detection # Check if connection count is increasing (more aggressive attack) - local prev_count="${CONNECTION_COUNT[$ip]:-0}" + # prev_count was loaded at line 2590 (BEFORE updating CONNECTION_COUNT) if [ "$count" -gt "$prev_count" ] && [ "$prev_count" -gt 0 ]; then local increase=$((count - prev_count)) if [ "$increase" -ge 50 ]; then @@ -2885,6 +2889,10 @@ monitor_network_attacks() { fi fi + # NOW update CONNECTION_COUNT after escalation detection + # Store current count for next monitoring cycle comparison + CONNECTION_COUNT[$ip]=$count + # Add HTTP attack pre-boost conn_bonus=$((conn_bonus + http_attack_bonus))