From 78956570490b35b7de1fba9a53bf36994177d6c0 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Sat, 13 Dec 2025 02:37:03 -0500
Subject: [PATCH] Fix double-counting bug in live attack monitor ET scoring
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Critical Bug Found:
The same attack was being scored TWICE:
1. update_ip_intelligence() detects attack via legacy patterns → adds 85 points
2. ET detection finds same attack → adds 95 points on top
3. Result: 85 + 95 = 180 (capped at 100)

Example:
- Request: /wp-includes/alfa-rex.php
- Legacy detection: "webshell" → +85 score
- ET detection: "alfa_shell" → +95 score
- Total: 180 → capped at 100 (WRONG!)

Root Cause:
Lines 1705 + 1731-1735 in live-attack-monitor.sh:
- Line 1705: update_ip_intelligence() runs legacy detection
- Line 1731: Read score from IP_DATA (includes legacy score)
- Line 1731: Add ET score to existing score (DOUBLE COUNT)

Fix Applied (lines 1726-1741):
Changed from ADDITION to MAX selection:

Before:
  new_score = curr_score + et_attack_score  # Double counting!

After:
  new_score = MAX(curr_score, et_attack_score)  # Use higher score

Logic:
- If ET detects attack: Use ET score (more accurate)
- If curr_score is higher: Keep it (e.g., AbuseIPDB reputation boost)
- This ensures the most relevant score is used without double-counting

Testing:
✅ Test 1: Legacy=85, ET=95 → Final=95 (was 100)
✅ Test 2: Reputation=110, ET=75 → Final=100 (preserved higher score)
✅ No more double counting

Impact:
- More accurate threat scoring
- ET scores now properly reflect attack severity
- Reputation scores from AbuseIPDB are preserved when higher
---
 modules/security/live-attack-monitor.sh | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 462dd8a..7165486 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -1723,15 +1723,21 @@ monitor_apache_logs() {
                         # Update IP intelligence with ET attack info
                         update_ip_intelligence "$ip" "$url|ET:$et_attack_types|$et_signatures" "attack" "HTTP"
 
-                        # Boost IP threat score based on ET detection
+                        # Replace IP threat score with ET detection score
+                        # Note: We use ET score instead of adding it to avoid double-counting
+                        # (update_ip_intelligence already detected the same attack via legacy patterns)
                         local current_intel=$(get_ip_intelligence "$ip")
                         IFS='|' read -r curr_score curr_hits curr_bot curr_attacks curr_ban curr_rep <<< "$current_intel"
 
-                        # Add ET attack score to IP's total score
-                        local new_score=$((curr_score + et_attack_score))
+                        # Use ET score if it's higher than current score
+                        local new_score="$et_attack_score"
+                        if [ "$curr_score" -gt "$et_attack_score" ]; then
+                            # Keep higher score (e.g., from AbuseIPDB reputation boost)
+                            new_score="$curr_score"
+                        fi
                         [ "$new_score" -gt 100 ] && new_score=100
 
-                        # Update IP data with boosted score
+                        # Update IP data with ET-based score
                         IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep"
 
                         # Check rate anomaly