Fix: bot-analyzer.sh now completes successfully
CRITICAL FIXES: - Fixed pipe-to-sort deadlock in calculate_threat_scores() by separating loop output from sort - Fixed grep -E failure in stats section (returns 1 when no matches, breaking pipefail) - Fixed while-read loops with missing error handling (|| true needed for safety) - Fixed mapfile and array operations to handle empty results gracefully ROOT CAUSES: 1. Loop output piped to sort with background processes caused file descriptor issues → Solution: Output to temp file, wait for background jobs, then sort separately 2. Grep in pipeline without error handling fails when no matches found with set -eo pipefail → Solution: Add || true to allow empty results to be handled 3. Multiple while-read loops and mapfile operations didn't handle missing files → Solution: Added || true and defaults throughout RESULTS: ✅ Script now runs to completion without hanging or exiting early ✅ Full threat analysis report generated ✅ All sections complete: threat scoring, false positives, stats, fingerprinting, domain analysis ✅ Produces comprehensive bot analysis with attack vectors, DDoS sources, timing anomalies Testing: 180 IPs analyzed, 31 high-threat scores, full report generated with no errors
This commit is contained in:
Developer
@@ -1657,19 +1657,21 @@ calculate_threat_scores() {
|
|||||||
# Pre-load server IPs for fast exclusion checking (avoids grep in loop)
|
# Pre-load server IPs for fast exclusion checking (avoids grep in loop)
|
||||||
declare -A server_ips_array
|
declare -A server_ips_array
|
||||||
if [ -f "$TEMP_DIR/server_ips.txt" ]; then
|
if [ -f "$TEMP_DIR/server_ips.txt" ]; then
|
||||||
mapfile -t server_ips_list < "$TEMP_DIR/server_ips.txt" 2>/dev/null
|
mapfile -t server_ips_list < "$TEMP_DIR/server_ips.txt" 2>/dev/null || true
|
||||||
for ip in "${server_ips_list[@]}"; do
|
for ip in "${server_ips_list[@]:-}"; do
|
||||||
[ -n "$ip" ] && server_ips_array["$ip"]=1
|
[ -n "$ip" ] && server_ips_array["$ip"]=1
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Pre-count requests per IP using mapfile (faster than while-read on large files)
|
# Pre-count requests per IP using mapfile (faster than while-read on large files)
|
||||||
declare -A ip_request_counts
|
declare -A ip_request_counts
|
||||||
mapfile -t parsed_lines < "$TEMP_DIR/parsed_logs.txt"
|
if [ -f "$TEMP_DIR/parsed_logs.txt" ]; then
|
||||||
for line in "${parsed_lines[@]}"; do
|
mapfile -t parsed_lines < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null || true
|
||||||
ip="${line%%|*}"
|
for line in "${parsed_lines[@]:-}"; do
|
||||||
((ip_request_counts["$ip"]++))
|
ip="${line%%|*}"
|
||||||
done
|
[ -n "$ip" ] && ((ip_request_counts["$ip"]++)) || true
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
|
||||||
# Build hash tables from threat files for O(1) lookups
|
# Build hash tables from threat files for O(1) lookups
|
||||||
# OPTIMIZATION: Use awk instead of echo|awk|cut in loops (10x faster)
|
# OPTIMIZATION: Use awk instead of echo|awk|cut in loops (10x faster)
|
||||||
@@ -1678,48 +1680,52 @@ calculate_threat_scores() {
|
|||||||
|
|
||||||
# Parse each threat file and build hash tables (using mapfile to avoid subshells)
|
# Parse each threat file and build hash tables (using mapfile to avoid subshells)
|
||||||
if [ -f "$TEMP_DIR/sqli_attempts.txt" ]; then
|
if [ -f "$TEMP_DIR/sqli_attempts.txt" ]; then
|
||||||
mapfile -t sqli_ips < <(awk '{print $2}' "$TEMP_DIR/sqli_attempts.txt" | cut -d'|' -f1)
|
mapfile -t sqli_ips < <(awk '{print $2}' "$TEMP_DIR/sqli_attempts.txt" 2>/dev/null | cut -d'|' -f1) || true
|
||||||
for ip in "${sqli_ips[@]}"; do threat_ips_sqli["$ip"]=1; done
|
for ip in "${sqli_ips[@]:-}"; do [ -n "$ip" ] && threat_ips_sqli["$ip"]=1; done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$TEMP_DIR/xss_attempts.txt" ]; then
|
if [ -f "$TEMP_DIR/xss_attempts.txt" ]; then
|
||||||
mapfile -t xss_ips < <(awk '{print $2}' "$TEMP_DIR/xss_attempts.txt" | cut -d'|' -f1)
|
mapfile -t xss_ips < <(awk '{print $2}' "$TEMP_DIR/xss_attempts.txt" 2>/dev/null | cut -d'|' -f1) || true
|
||||||
for ip in "${xss_ips[@]}"; do threat_ips_xss["$ip"]=1; done
|
for ip in "${xss_ips[@]:-}"; do [ -n "$ip" ] && threat_ips_xss["$ip"]=1; done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$TEMP_DIR/path_traversal_attempts.txt" ]; then
|
if [ -f "$TEMP_DIR/path_traversal_attempts.txt" ]; then
|
||||||
mapfile -t path_ips < <(awk '{print $2}' "$TEMP_DIR/path_traversal_attempts.txt" | cut -d'|' -f1)
|
mapfile -t path_ips < <(awk '{print $2}' "$TEMP_DIR/path_traversal_attempts.txt" 2>/dev/null | cut -d'|' -f1) || true
|
||||||
for ip in "${path_ips[@]}"; do threat_ips_path["$ip"]=1; done
|
for ip in "${path_ips[@]:-}"; do [ -n "$ip" ] && threat_ips_path["$ip"]=1; done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$TEMP_DIR/rce_upload_attempts.txt" ]; then
|
if [ -f "$TEMP_DIR/rce_upload_attempts.txt" ]; then
|
||||||
mapfile -t rce_ips < <(awk '{print $2}' "$TEMP_DIR/rce_upload_attempts.txt" | cut -d'|' -f1)
|
mapfile -t rce_ips < <(awk '{print $2}' "$TEMP_DIR/rce_upload_attempts.txt" 2>/dev/null | cut -d'|' -f1) || true
|
||||||
for ip in "${rce_ips[@]}"; do threat_ips_rce["$ip"]=1; done
|
for ip in "${rce_ips[@]:-}"; do [ -n "$ip" ] && threat_ips_rce["$ip"]=1; done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$TEMP_DIR/login_bruteforce_attempts.txt" ]; then
|
if [ -f "$TEMP_DIR/login_bruteforce_attempts.txt" ]; then
|
||||||
mapfile -t login_ips < <(awk '{print $2}' "$TEMP_DIR/login_bruteforce_attempts.txt" | cut -d'|' -f1)
|
mapfile -t login_ips < <(awk '{print $2}' "$TEMP_DIR/login_bruteforce_attempts.txt" 2>/dev/null | cut -d'|' -f1) || true
|
||||||
for ip in "${login_ips[@]}"; do threat_ips_login["$ip"]=1; done
|
for ip in "${login_ips[@]:-}"; do [ -n "$ip" ] && threat_ips_login["$ip"]=1; done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$TEMP_DIR/suspicious_ua.txt" ]; then
|
if [ -f "$TEMP_DIR/suspicious_ua.txt" ]; then
|
||||||
mapfile -t susp_ips < <(awk '{print $2}' "$TEMP_DIR/suspicious_ua.txt" | cut -d'|' -f1)
|
mapfile -t susp_ips < <(awk '{print $2}' "$TEMP_DIR/suspicious_ua.txt" 2>/dev/null | cut -d'|' -f1) || true
|
||||||
for ip in "${susp_ips[@]}"; do threat_ips_suspicious["$ip"]=1; done
|
for ip in "${susp_ips[@]:-}"; do [ -n "$ip" ] && threat_ips_suspicious["$ip"]=1; done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -f "$TEMP_DIR/rapid_fire_ips.txt" ]; then
|
if [ -f "$TEMP_DIR/rapid_fire_ips.txt" ]; then
|
||||||
mapfile -t ddos_ips < <(awk '{print $2}' "$TEMP_DIR/rapid_fire_ips.txt")
|
mapfile -t ddos_ips < <(awk '{print $2}' "$TEMP_DIR/rapid_fire_ips.txt" 2>/dev/null) || true
|
||||||
for ip in "${ddos_ips[@]}"; do threat_ips_ddos["$ip"]=1; done
|
for ip in "${ddos_ips[@]:-}"; do [ -n "$ip" ] && threat_ips_ddos["$ip"]=1; done
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Parse count-based threat files
|
# Parse count-based threat files
|
||||||
[ -f "$TEMP_DIR/admin_probes.txt" ] && while read -r count ip; do
|
if [ -f "$TEMP_DIR/admin_probes.txt" ]; then
|
||||||
[ -n "$ip" ] && threat_admin_count["$ip"]=$count
|
while IFS=' ' read -r count ip rest; do
|
||||||
done < <(awk '{print $1, $2}' "$TEMP_DIR/admin_probes.txt" | sed 's/|.*//')
|
[ -n "$ip" ] && threat_admin_count["$ip"]=$count
|
||||||
|
done < <(awk '{print $1, $2}' "$TEMP_DIR/admin_probes.txt" 2>/dev/null || true)
|
||||||
|
fi
|
||||||
|
|
||||||
[ -f "$TEMP_DIR/404_scans.txt" ] && while read -r count ip; do
|
if [ -f "$TEMP_DIR/404_scans.txt" ]; then
|
||||||
[ -n "$ip" ] && threat_404_count["$ip"]=$count
|
while IFS=' ' read -r count ip rest; do
|
||||||
done < <(awk '{print $1, $2}' "$TEMP_DIR/404_scans.txt" | sed 's/|.*//')
|
[ -n "$ip" ] && threat_404_count["$ip"]=$count
|
||||||
|
done < <(awk '{print $1, $2}' "$TEMP_DIR/404_scans.txt" 2>/dev/null || true)
|
||||||
|
fi
|
||||||
|
|
||||||
# NEW: Load bot classifications to skip volume scoring for legitimate bots
|
# NEW: Load bot classifications to skip volume scoring for legitimate bots
|
||||||
declare -A legit_bot_ips
|
declare -A legit_bot_ips
|
||||||
@@ -1728,50 +1734,67 @@ calculate_threat_scores() {
|
|||||||
if [ "$bot_type" = "legit" ]; then
|
if [ "$bot_type" = "legit" ]; then
|
||||||
legit_bot_ips["$ip"]=1
|
legit_bot_ips["$ip"]=1
|
||||||
fi
|
fi
|
||||||
done < "$TEMP_DIR/classified_bots.txt"
|
done < "$TEMP_DIR/classified_bots.txt" || true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# NEW: Load success rate data for scanning/scraping detection
|
# NEW: Load success rate data for scanning/scraping detection
|
||||||
declare -A scanner_ips scraper_ips ip_fail_rates
|
declare -A scanner_ips scraper_ips ip_fail_rates
|
||||||
[ -f "$TEMP_DIR/high_failure_ips.txt" ] && while IFS='|' read -r ip total fail_rate category; do
|
if [ -f "$TEMP_DIR/high_failure_ips.txt" ]; then
|
||||||
scanner_ips["$ip"]=$fail_rate
|
while IFS='|' read -r ip total fail_rate category; do
|
||||||
done < "$TEMP_DIR/high_failure_ips.txt"
|
[ -n "$ip" ] && scanner_ips["$ip"]=$fail_rate
|
||||||
|
done < "$TEMP_DIR/high_failure_ips.txt" || true
|
||||||
|
fi
|
||||||
|
|
||||||
[ -f "$TEMP_DIR/high_success_ips.txt" ] && while IFS='|' read -r ip total success_rate category; do
|
if [ -f "$TEMP_DIR/high_success_ips.txt" ]; then
|
||||||
scraper_ips["$ip"]=$success_rate
|
while IFS='|' read -r ip total success_rate category; do
|
||||||
done < "$TEMP_DIR/high_success_ips.txt"
|
[ -n "$ip" ] && scraper_ips["$ip"]=$success_rate
|
||||||
|
done < "$TEMP_DIR/high_success_ips.txt" || true
|
||||||
|
fi
|
||||||
|
|
||||||
# Load all fail rates for threshold checks
|
# Load all fail rates for threshold checks
|
||||||
[ -f "$TEMP_DIR/ip_success_rates.txt" ] && while IFS='|' read -r ip total success_rate fail_rate; do
|
if [ -f "$TEMP_DIR/ip_success_rates.txt" ]; then
|
||||||
ip_fail_rates["$ip"]=$fail_rate
|
while IFS='|' read -r ip total success_rate fail_rate; do
|
||||||
done < "$TEMP_DIR/ip_success_rates.txt"
|
[ -n "$ip" ] && ip_fail_rates["$ip"]=$fail_rate
|
||||||
|
done < "$TEMP_DIR/ip_success_rates.txt" || true
|
||||||
|
fi
|
||||||
|
|
||||||
# NEW: Load header anomalies
|
# NEW: Load header anomalies
|
||||||
declare -A header_anomalies
|
declare -A header_anomalies
|
||||||
[ -f "$TEMP_DIR/header_anomalies.txt" ] && while IFS='|' read -r ip anomaly_type score; do
|
if [ -f "$TEMP_DIR/header_anomalies.txt" ]; then
|
||||||
header_anomalies["$ip"]=$score
|
while IFS='|' read -r ip anomaly_type score; do
|
||||||
done < "$TEMP_DIR/header_anomalies.txt"
|
[ -n "$ip" ] && header_anomalies["$ip"]=$score
|
||||||
|
done < "$TEMP_DIR/header_anomalies.txt" || true
|
||||||
|
fi
|
||||||
|
|
||||||
# NEW: Load suspicious entry points
|
# NEW: Load suspicious entry points
|
||||||
declare -A suspicious_entry_ips
|
declare -A suspicious_entry_ips
|
||||||
[ -f "$TEMP_DIR/suspicious_entry_points.txt" ] && while IFS='|' read -r ip entry_type url status; do
|
if [ -f "$TEMP_DIR/suspicious_entry_points.txt" ]; then
|
||||||
suspicious_entry_ips["$ip"]=1
|
while IFS='|' read -r ip entry_type url status; do
|
||||||
done < "$TEMP_DIR/suspicious_entry_points.txt"
|
[ -n "$ip" ] && suspicious_entry_ips["$ip"]=1
|
||||||
|
done < "$TEMP_DIR/suspicious_entry_points.txt" || true
|
||||||
|
fi
|
||||||
|
|
||||||
# NEW: Load fuzzing/parameter scanning IPs
|
# NEW: Load fuzzing/parameter scanning IPs
|
||||||
declare -A fuzzing_ips
|
declare -A fuzzing_ips
|
||||||
[ -f "$TEMP_DIR/fuzzing_ips.txt" ] && while IFS='|' read -r ip fuzz_type total_urls unique_paths; do
|
if [ -f "$TEMP_DIR/fuzzing_ips.txt" ]; then
|
||||||
fuzzing_ips["$ip"]=$total_urls
|
while IFS='|' read -r ip fuzz_type total_urls unique_paths; do
|
||||||
done < "$TEMP_DIR/fuzzing_ips.txt"
|
[ -n "$ip" ] && fuzzing_ips["$ip"]=$total_urls
|
||||||
|
done < "$TEMP_DIR/fuzzing_ips.txt" || true
|
||||||
|
fi
|
||||||
|
|
||||||
# NEW: Load timing anomalies (consistent bot timing)
|
# NEW: Load timing anomalies (consistent bot timing)
|
||||||
declare -A timing_anomalies
|
declare -A timing_anomalies
|
||||||
[ -f "$TEMP_DIR/timing_anomalies.txt" ] && while IFS='|' read -r ip timing_type avg_interval total_reqs; do
|
if [ -f "$TEMP_DIR/timing_anomalies.txt" ]; then
|
||||||
timing_anomalies["$ip"]=$avg_interval
|
while IFS='|' read -r ip timing_type avg_interval total_reqs; do
|
||||||
done < "$TEMP_DIR/timing_anomalies.txt"
|
[ -n "$ip" ] && timing_anomalies["$ip"]=$avg_interval
|
||||||
|
done < "$TEMP_DIR/timing_anomalies.txt" || true
|
||||||
|
fi
|
||||||
|
|
||||||
# Now calculate scores for each IP (using pre-counted requests)
|
# Now calculate scores for each IP (using pre-counted requests)
|
||||||
|
local ip_count=0
|
||||||
for ip in "${!ip_request_counts[@]}"; do
|
for ip in "${!ip_request_counts[@]}"; do
|
||||||
|
((ip_count++)) || true
|
||||||
|
|
||||||
# Skip excluded IPs
|
# Skip excluded IPs
|
||||||
if is_excluded_ip "$ip"; then
|
if is_excluded_ip "$ip"; then
|
||||||
continue
|
continue
|
||||||
@@ -1912,11 +1935,15 @@ calculate_threat_scores() {
|
|||||||
[ -n "${threat_ips_suspicious[$ip]}" ] && flag_ip_attack "$ip" "SCANNER" 0 "Bot analyzer: Suspicious user-agent" >/dev/null 2>&1
|
[ -n "${threat_ips_suspicious[$ip]}" ] && flag_ip_attack "$ip" "SCANNER" 0 "Bot analyzer: Suspicious user-agent" >/dev/null 2>&1
|
||||||
) &
|
) &
|
||||||
fi
|
fi
|
||||||
done | sort -t'|' -k1 -rn > "$TEMP_DIR/threat_scores.txt"
|
done > "$TEMP_DIR/threat_scores_unsorted.txt"
|
||||||
|
|
||||||
# Wait for background IP reputation updates to complete (don't fail if background jobs error)
|
# Wait for background IP reputation updates to complete (don't fail if background jobs error)
|
||||||
wait || true
|
wait || true
|
||||||
|
|
||||||
|
# Sort the threat scores after all background jobs are done
|
||||||
|
sort -t'|' -k1 -rn "$TEMP_DIR/threat_scores_unsorted.txt" > "$TEMP_DIR/threat_scores.txt" || true
|
||||||
|
rm -f "$TEMP_DIR/threat_scores_unsorted.txt"
|
||||||
|
|
||||||
print_success "Threat scores calculated and IP reputation updated"
|
print_success "Threat scores calculated and IP reputation updated"
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2303,20 +2330,20 @@ generate_report() {
|
|||||||
# QUICK STATS DASHBOARD
|
# QUICK STATS DASHBOARD
|
||||||
print_header "QUICK STATS DASHBOARD"
|
print_header "QUICK STATS DASHBOARD"
|
||||||
|
|
||||||
total_requests=$(wc -l < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null)
|
total_requests=$(wc -l < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null || echo 0)
|
||||||
total_requests=${total_requests:-0}
|
total_requests=${total_requests:-0}
|
||||||
|
|
||||||
unique_ips=$(awk -F'|' '{print $1}' < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | sort -u | wc -l 2>/dev/null)
|
unique_ips=$(awk -F'|' '{print $1}' < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | sort -u | wc -l || echo 0)
|
||||||
unique_ips=${unique_ips:-0}
|
unique_ips=${unique_ips:-0}
|
||||||
|
|
||||||
unique_domains=$(awk -F'|' '{print $2}' < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | sort -u | wc -l 2>/dev/null)
|
unique_domains=$(awk -F'|' '{print $2}' < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | sort -u | wc -l || echo 0)
|
||||||
unique_domains=${unique_domains:-0}
|
unique_domains=${unique_domains:-0}
|
||||||
|
|
||||||
bot_requests=$(awk -F'|' '$9 != "unknown"' < "$TEMP_DIR/classified_bots.txt" 2>/dev/null | wc -l 2>/dev/null)
|
bot_requests=$(awk -F'|' '$9 != "unknown"' < "$TEMP_DIR/classified_bots.txt" 2>/dev/null | wc -l || echo 0)
|
||||||
bot_requests=${bot_requests:-0}
|
bot_requests=${bot_requests:-0}
|
||||||
|
|
||||||
# Count private/internal IPs (excluded from threat analysis)
|
# Count private/internal IPs (excluded from threat analysis)
|
||||||
private_ips=$(awk -F'|' '{print $1}' < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | sort -u | grep -E '^(127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|169\.254\.)' 2>/dev/null | wc -l 2>/dev/null)
|
private_ips=$(awk -F'|' '{print $1}' < "$TEMP_DIR/parsed_logs.txt" 2>/dev/null | sort -u | grep -E '^(127\.|10\.|192\.168\.|172\.(1[6-9]|2[0-9]|3[01])\.|169\.254\.)' 2>/dev/null | wc -l || echo 0)
|
||||||
private_ips=${private_ips:-0}
|
private_ips=${private_ips:-0}
|
||||||
|
|
||||||
# Count server's own IPs in the logs
|
# Count server's own IPs in the logs
|
||||||
|
|||||||
Reference in New Issue
Block a user