diff --git a/modules/security/bot-analyzer.sh b/modules/security/bot-analyzer.sh index 1c28145..0d79385 100755 --- a/modules/security/bot-analyzer.sh +++ b/modules/security/bot-analyzer.sh @@ -1809,8 +1809,8 @@ calculate_threat_scores() { # NEW: Header anomalies (strong indicator of bots) if [ -n "${header_anomalies[$ip]}" ]; then - header_score=${header_anomalies[$ip]} - if [ "$header_score" -ge 12 ]; then + header_score=${header_anomalies[$ip]:-0} + if [ "${header_score:-0}" -ge 12 ]; then score=$((score + 8)) # Multiple header suspicions elif [ "$header_score" -ge 8 ]; then score=$((score + 5)) # Moderate header anomalies @@ -1824,10 +1824,10 @@ calculate_threat_scores() { # NEW: Fuzzing/parameter scanning behavior if [ -n "${fuzzing_ips[$ip]}" ]; then - fuzz_requests=${fuzzing_ips[$ip]} - if [ "$fuzz_requests" -gt 100 ]; then + fuzz_requests=${fuzzing_ips[$ip]:-0} + if [ "${fuzz_requests:-0}" -gt 100 ]; then score=$((score + 7)) # Aggressive fuzzing - elif [ "$fuzz_requests" -gt 50 ]; then + elif [ "${fuzz_requests:-0}" -gt 50 ]; then score=$((score + 4)) # Moderate fuzzing fi fi @@ -1839,15 +1839,15 @@ calculate_threat_scores() { # Admin probing - IMPROVED: Raised threshold to 50 (only failed attempts counted) admin_count=${threat_admin_count[$ip]:-0} - if [ "$admin_count" -gt 100 ] 2>/dev/null; then + if [ "${admin_count:-0}" -gt 100 ]; then score=$((score + 10)) # Excessive probing - elif [ "$admin_count" -gt 50 ] 2>/dev/null; then + elif [ "${admin_count:-0}" -gt 50 ]; then score=$((score + 5)) # Moderate probing fi # 404 scanning scan_404=${threat_404_count[$ip]:-0} - [ "$scan_404" -gt 50 ] 2>/dev/null && score=$((score + 3)) + [ "${scan_404:-0}" -gt 50 ] && score=$((score + 3)) # OPTIMIZATION: Skip external API calls for performance # Threat Intelligence Enrichment can be done post-analysis for high-risk IPs only