diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh
index 0d63c57..05000d8 100644
--- a/lib/attack-patterns.sh
+++ b/lib/attack-patterns.sh
@@ -10,6 +10,29 @@
 # Cache hostname to avoid subprocess on every open redirect check
 CACHED_HOSTNAME="${HOSTNAME:-$(hostname 2>/dev/null || echo "unknown")}"
 
+# IP Address Validation
+# Returns: 0 (valid) or 1 (invalid)
+is_valid_ip() {
+    local ip="$1"
+
+    # IPv4 validation
+    if [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
+        local IFS='.'
+        local -a octets=($ip)
+        for octet in "${octets[@]}"; do
+            [ "$octet" -gt 255 ] && return 1
+        done
+        return 0
+    fi
+
+    # IPv6 validation (basic)
+    if [[ "$ip" =~ ^([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}$ ]]; then
+        return 0
+    fi
+
+    return 1
+}
+
 # SQL Injection Detection
 # Returns: 0 (true) if SQL injection detected, 1 (false) if not
 detect_sql_injection() {
@@ -732,6 +755,7 @@ get_attack_color() {
     esac
 }
 
+export -f is_valid_ip
 export -f detect_sql_injection
 export -f detect_xss
 export -f detect_path_traversal