diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index b20bdf1..9c0cc49 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2488,7 +2488,12 @@ monitor_network_attacks() { fi # Get total SYN_RECV count from cache - local total_syn=$(echo "$ss_cache" | wc -l) + # CRITICAL FIX: Subtract 1 to exclude header line "Recv-Q Send-Q Local Address:Port Peer Address:Port" + # Bug: wc -l was counting header + data lines, causing false severity = 0 when connections < 75 + # Result: 40 real connections + header = 41 lines, 41 < 75, so severity stays 0, threshold stays 20 + # Fix: Skip the first line (header) to get accurate connection count + local total_syn=$(($(echo "$ss_cache" | wc -l) - 1)) + [ "$total_syn" -lt 0 ] && total_syn=0 # Handle case where ss_cache is empty/only header local attack_severity=0 local unique_ips=0 @@ -2582,12 +2587,17 @@ monitor_network_attacks() { CONNECTION_COUNT[$ip]=$count # Dynamic threshold based on attack severity + momentum: - # Tier 0: >20 connections (normal, focused attack) + # CRITICAL FIX: Changed Tier 0 threshold from 20 to 5 + # Bug: Tier 0 (< 75 total SYN) had threshold=20, preventing detection of distributed attacks + # With 8-41 total connections spread across IPs, no single IP reaches 20, so ZERO detection + # Fix: Lower Tier 0 to 5 to detect suspicious activity even in small-scale attacks + # This matches Tier 4 minimum of 3 connections for true attacks + # Tier 0: >5 connections (low-level activity, may be distributed) # Tier 1: >10 connections (75-150 total, moderate DDoS) # Tier 2: >6 connections (150-300 total, major DDoS) # Tier 3: >4 connections (300-500 total, severe DDoS) # Tier 4: >3 connections (500+ total, CRITICAL DDoS) - local threshold=20 + local threshold=5 case "$attack_severity" in 4) threshold=3 ;; # Critical: Very aggressive (safe for production) 3) threshold=4 ;; # Severe: Aggressive