From 59f634fb1ae42e663ac5ad078ef9a3e94c6ae59f Mon Sep 17 00:00:00 2001 From: cschantz Date: Sat, 13 Dec 2025 02:21:28 -0500 Subject: [PATCH] Add IP reputation tracking for ET Open detections + historical analyzer to menu MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit IP Reputation Tracking: - ET attack scores now properly boost IP threat scores - When ET detects attack (score 85-100), adds to IP's cumulative score - Example: IP at score 50 + ET attack 95 = total 100 (capped) - Tracks across multiple requests from same IP - Higher scores = faster blocking/banning How it works: 1. ET detection runs: analyze_http_log_line() returns score 2. Score added to IP's existing threat score in IP_DATA array 3. Display shows boosted score 4. Auto-block triggers at combined score ≥90 Menu Integration: - Added option 15 to Security menu - 🛡️ Historical Attack Analysis - Scan past logs for attacks (ET Open) - Launches: tools/analyze-historical-attacks.sh - Features: - Scan last 7/30/custom days - Analyze specific log files - Generate comprehensive reports - Top attackers, signatures, attack types - Supports compressed logs (gzip, bzip2) Testing: ✅ Syntax validated ✅ Tracking logic verified (50 + 95 = 100) ✅ Menu navigation works ✅ Historical analyzer accessible Now when IPs attack repeatedly: - First attack: Score increases by attack severity - Subsequent attacks: Scores accumulate - Persistent attackers: Reach blocking threshold faster - Dashboard shows current cumulative score --- launcher.sh | 5 +++++ modules/security/live-attack-monitor.sh | 13 ++++++++++++- 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/launcher.sh b/launcher.sh index 396fb2c..82910ad 100755 --- a/launcher.sh +++ b/launcher.sh @@ -141,6 +141,10 @@ show_security_menu() { echo -e " ${YELLOW}13)${NC} 🔒 Enable cPHulk Protection - Brute force protection" echo -e " ${YELLOW}14)${NC} ⚙️ Optimize CT_LIMIT - Connection tracking tuning" echo "" + echo -e "${BOLD}Analysis Tools:${NC}" + echo "" + echo -e " ${GREEN}15)${NC} 🛡️ Historical Attack Analysis - Scan past logs for attacks (ET Open)" + echo "" echo -e " ${RED}0)${NC} Back to Main Menu" echo "" echo -e "${CYAN}──────────────────────────────────────────────────────────────${NC}" @@ -167,6 +171,7 @@ handle_security_menu() { 12) run_module "security" "tail-secure-log.sh" ;; 13) run_module "security" "enable-cphulk.sh" ;; 14) run_module "security" "optimize-ct-limit.sh" ;; + 15) bash "$SCRIPT_DIR/tools/analyze-historical-attacks.sh" ;; 0) return ;; *) echo -e "${RED}Invalid option${NC}"; sleep 1 ;; esac diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index cad2086..462dd8a 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -1720,9 +1720,20 @@ monitor_apache_logs() { temp="${temp#*||}" et_signatures="${temp%%||*}" - # Record attack with higher score + # Update IP intelligence with ET attack info update_ip_intelligence "$ip" "$url|ET:$et_attack_types|$et_signatures" "attack" "HTTP" + # Boost IP threat score based on ET detection + local current_intel=$(get_ip_intelligence "$ip") + IFS='|' read -r curr_score curr_hits curr_bot curr_attacks curr_ban curr_rep <<< "$current_intel" + + # Add ET attack score to IP's total score + local new_score=$((curr_score + et_attack_score)) + [ "$new_score" -gt 100 ] && new_score=100 + + # Update IP data with boosted score + IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep" + # Check rate anomaly if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then record_request "$ip"