diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 535492d..dbee0dc 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -2251,6 +2251,49 @@ monitor_network_attacks() { # Increment hits hits=$((hits + 1)) + # Enhanced threat intelligence on first detection + if [ "${hits:-0}" -eq 1 ]; then + # Check if whitelisted service first + if is_whitelisted_service "$ip" 2>/dev/null; then + continue # Skip whitelisted IPs + fi + + # Get threat intelligence in background to avoid slowdown + ( + local threat_intel=$(get_threat_intelligence "$ip" 2>/dev/null) + IFS='|' read -r abuse_conf abuse_rpts country isp geo timing whitelisted <<< "$threat_intel" + + # Store enrichment for later use + echo "$threat_intel" > "$TEMP_DIR/threat_enrich_${ip//\./_}" + + # Apply reputation boosts based on AbuseIPDB + if [ "${abuse_conf:-0}" -ge 75 ]; then + # High confidence malicious - add 30 points + local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0") + IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data" + local new_score=$((old_score + 30)) + [ "$new_score" -gt 100 ] && new_score=100 + echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file" + elif [ "${abuse_conf:-0}" -ge 50 ]; then + # Medium confidence - add 15 points + local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0") + IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data" + local new_score=$((old_score + 15)) + [ "$new_score" -gt 100 ] && new_score=100 + echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file" + fi + + # High-risk country adds 5 points + if is_high_risk_country "${geo:-XX}" 2>/dev/null; then + local curr_data=$(cat "$ip_file" 2>/dev/null || echo "0|0|human||0|0") + IFS='|' read -r old_score old_hits old_bot old_attacks old_ban old_rep <<< "$curr_data" + local new_score=$((old_score + 5)) + [ "$new_score" -gt 100 ] && new_score=100 + echo "$new_score|$old_hits|$old_bot|$old_attacks|$old_ban|$old_rep" > "$ip_file" + fi + ) & + fi + # Record attack intelligence record_attack_timestamp "$ip" record_attack_vector "$ip" "NETWORK" @@ -2272,6 +2315,26 @@ monitor_network_attacks() { conn_bonus=15 fi + # Connection persistence bonus (repeated detections of same IP) + # This indicates sustained attack vs transient spike + if [ "${hits:-0}" -ge 5 ]; then + conn_bonus=$((conn_bonus + 20)) # Persistent attacker + elif [ "${hits:-0}" -ge 3 ]; then + conn_bonus=$((conn_bonus + 10)) # Repeated attack + fi + + # Connection escalation detection + # Check if connection count is increasing (more aggressive attack) + local prev_count="${CONNECTION_COUNT[$ip]:-0}" + if [ "$count" -gt "$prev_count" ] && [ "$prev_count" -gt 0 ]; then + local increase=$((count - prev_count)) + if [ "$increase" -ge 50 ]; then + conn_bonus=$((conn_bonus + 25)) # Rapidly escalating + elif [ "$increase" -ge 20 ]; then + conn_bonus=$((conn_bonus + 15)) # Escalating + fi + fi + # First hit or add to existing score if [ "${hits:-0}" -eq 1 ]; then score=$conn_bonus