From 44c3e9370ce8a92f2280554d1437655e16184cb3 Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 14 Nov 2025 16:48:44 -0500 Subject: [PATCH] Integrate advanced intelligence into Email, FTP, and Database monitoring Extended all 10 intelligence systems to cover all authentication attack vectors: Email (SMTP/IMAP/POP3) Monitoring: - Vector tracking: EMAIL - Full intelligence integration (velocity, diversity, patterns, subnet, context) - Progressive scoring: 10 + 8n per attempt - Advanced bonuses can add 50-100+ points for sophisticated attacks FTP Monitoring: - Vector tracking: FTP - Full intelligence integration - Same progressive scoring and bonuses as SSH/Email - Detects coordinated multi-service attacks Database (MySQL) Monitoring: - Vector tracking: DATABASE - Full intelligence integration - Higher base scoring: 15 + 12n per attempt (database = critical) - Bonuses applied on top Cross-Vector Detection Example: IP attacks SSH (3 attempts) + Email (2 attempts) + FTP (1 attempt) = 6 total - Base: 58 points - Diversity bonus: +10 (DUAL_VECTOR) or +25 (3 vectors) - Velocity bonus: +20 (if rapid) - Pattern bonus: +20 (if automated) - Subnet bonus: +25 (if part of botnet) - Context bonus: +18 (night + residential ISP) - TOTAL: Can reach 100+ (capped) very quickly All monitoring sources now share same intelligence and contribute to unified threat assessment --- modules/security/live-attack-monitor.sh | 147 ++++++++++++++++++++++++ 1 file changed, 147 insertions(+) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 4e56b27..fcee20f 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -1527,6 +1527,11 @@ monitor_email_attacks() { hits=$((hits + 1)) + # Record timestamp and vector for intelligence + record_attack_timestamp "$ip" + record_attack_vector "$ip" "EMAIL" + track_subnet_attack "$ip" + # Add BRUTEFORCE to attacks if [[ ! "$attacks" =~ BRUTEFORCE ]]; then [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" @@ -1538,10 +1543,54 @@ monitor_email_attacks() { else score=$((score + 8)) fi + + # Apply advanced intelligence bonuses + local block_reasons="" + local velocity_data=$(calculate_attack_velocity "$ip") + IFS='|' read -r vel_count vel_bonus vel_reason <<< "$velocity_data" + [ "$vel_bonus" -gt 0 ] && score=$((score + vel_bonus)) && block_reasons="${vel_reason}" + + local div_data=$(calculate_diversity_bonus "$ip") + IFS='|' read -r div_count div_bonus div_reason <<< "$div_data" + if [ "$div_bonus" -gt 0 ]; then + score=$((score + div_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${div_reason}" + fi + + local pattern_data=$(detect_timing_pattern "$ip") + IFS='|' read -r pat_type pat_conf pat_bonus pat_reason <<< "$pattern_data" + if [ "$pat_bonus" -gt 0 ]; then + score=$((score + pat_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${pat_reason}" + fi + + local subnet_data=$(calculate_subnet_bonus "$ip") + IFS='|' read -r subnet_count subnet_bonus subnet_reason <<< "$subnet_data" + if [ "$subnet_bonus" -gt 0 ]; then + score=$((score + subnet_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${subnet_reason}" + fi + + local context_data=$(calculate_context_bonus "$ip") + IFS='|' read -r context_bonus context_reason <<< "$context_data" + if [ "$context_bonus" -gt 0 ]; then + score=$((score + context_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${context_reason}" + fi + [ $score -gt 100 ] && score=100 IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + # Store block reasons for CSF + if [ -n "$block_reasons" ]; then + echo "$block_reasons" > "$TEMP_DIR/block_reason_${ip//\./_}" + fi + # Log to reputation DB flag_ip_attack "$ip" "BRUTEFORCE" 0 "Email authentication failure" >/dev/null 2>&1 & @@ -1585,6 +1634,11 @@ monitor_ftp_attacks() { hits=$((hits + 1)) + # Record timestamp and vector for intelligence + record_attack_timestamp "$ip" + record_attack_vector "$ip" "FTP" + track_subnet_attack "$ip" + # Add BRUTEFORCE to attacks if [[ ! "$attacks" =~ BRUTEFORCE ]]; then [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" @@ -1596,10 +1650,54 @@ monitor_ftp_attacks() { else score=$((score + 8)) fi + + # Apply advanced intelligence bonuses + local block_reasons="" + local velocity_data=$(calculate_attack_velocity "$ip") + IFS='|' read -r vel_count vel_bonus vel_reason <<< "$velocity_data" + [ "$vel_bonus" -gt 0 ] && score=$((score + vel_bonus)) && block_reasons="${vel_reason}" + + local div_data=$(calculate_diversity_bonus "$ip") + IFS='|' read -r div_count div_bonus div_reason <<< "$div_data" + if [ "$div_bonus" -gt 0 ]; then + score=$((score + div_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${div_reason}" + fi + + local pattern_data=$(detect_timing_pattern "$ip") + IFS='|' read -r pat_type pat_conf pat_bonus pat_reason <<< "$pattern_data" + if [ "$pat_bonus" -gt 0 ]; then + score=$((score + pat_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${pat_reason}" + fi + + local subnet_data=$(calculate_subnet_bonus "$ip") + IFS='|' read -r subnet_count subnet_bonus subnet_reason <<< "$subnet_data" + if [ "$subnet_bonus" -gt 0 ]; then + score=$((score + subnet_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${subnet_reason}" + fi + + local context_data=$(calculate_context_bonus "$ip") + IFS='|' read -r context_bonus context_reason <<< "$context_data" + if [ "$context_bonus" -gt 0 ]; then + score=$((score + context_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${context_reason}" + fi + [ $score -gt 100 ] && score=100 IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + # Store block reasons for CSF + if [ -n "$block_reasons" ]; then + echo "$block_reasons" > "$TEMP_DIR/block_reason_${ip//\./_}" + fi + # Log to reputation DB flag_ip_attack "$ip" "BRUTEFORCE" 0 "FTP login failure" >/dev/null 2>&1 & @@ -1643,6 +1741,11 @@ monitor_database_attacks() { hits=$((hits + 1)) + # Record timestamp and vector for intelligence + record_attack_timestamp "$ip" + record_attack_vector "$ip" "DATABASE" + track_subnet_attack "$ip" + # Add SQL_INJECTION to attacks local is_new_attack=0 if [[ ! "$attacks" =~ SQL_INJECTION ]]; then @@ -1656,10 +1759,54 @@ monitor_database_attacks() { else score=$((score + 12)) fi + + # Apply advanced intelligence bonuses + local block_reasons="" + local velocity_data=$(calculate_attack_velocity "$ip") + IFS='|' read -r vel_count vel_bonus vel_reason <<< "$velocity_data" + [ "$vel_bonus" -gt 0 ] && score=$((score + vel_bonus)) && block_reasons="${vel_reason}" + + local div_data=$(calculate_diversity_bonus "$ip") + IFS='|' read -r div_count div_bonus div_reason <<< "$div_data" + if [ "$div_bonus" -gt 0 ]; then + score=$((score + div_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${div_reason}" + fi + + local pattern_data=$(detect_timing_pattern "$ip") + IFS='|' read -r pat_type pat_conf pat_bonus pat_reason <<< "$pattern_data" + if [ "$pat_bonus" -gt 0 ]; then + score=$((score + pat_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${pat_reason}" + fi + + local subnet_data=$(calculate_subnet_bonus "$ip") + IFS='|' read -r subnet_count subnet_bonus subnet_reason <<< "$subnet_data" + if [ "$subnet_bonus" -gt 0 ]; then + score=$((score + subnet_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${subnet_reason}" + fi + + local context_data=$(calculate_context_bonus "$ip") + IFS='|' read -r context_bonus context_reason <<< "$context_data" + if [ "$context_bonus" -gt 0 ]; then + score=$((score + context_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${context_reason}" + fi + [ $score -gt 100 ] && score=100 IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + # Store block reasons for CSF + if [ -n "$block_reasons" ]; then + echo "$block_reasons" > "$TEMP_DIR/block_reason_${ip//\./_}" + fi + # Log to reputation DB flag_ip_attack "$ip" "SQL_INJECTION" 0 "MySQL authentication failure" >/dev/null 2>&1 &