diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 9cacb27..968e5fc 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2358,6 +2358,13 @@ monitor_network_attacks() { # Increment hits hits=$((hits + 1)) + # Smart whitelisting: Skip IPs with successful established connections + local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0") + if [ "$established_conns" -ge 5 ]; then + # IP has 5+ established connections = legitimate traffic + continue + fi + # Enhanced threat intelligence on first detection if [ "${hits:-0}" -eq 1 ]; then # Check if whitelisted service first @@ -2373,6 +2380,31 @@ monitor_network_attacks() { # Store enrichment for later use echo "$threat_intel" > "$TEMP_DIR/threat_enrich_${ip//\./_}" + # Geographic clustering detection + if [ -n "$geo" ] && [ "$geo" != "XX" ]; then + echo "$geo" >> "$TEMP_DIR/attack_countries" + # Check if this country has 5+ attacking IPs + local country_count=$(grep -c "^${geo}$" "$TEMP_DIR/attack_countries" 2>/dev/null || echo "0") + if [ "$country_count" -ge 5 ]; then + # Coordinated attack from same country - boost all IPs from there + echo "$geo" >> "$TEMP_DIR/hostile_countries" + fi + fi + + # ASN clustering detection + if [ -n "$isp" ]; then + # Extract ASN number from ISP string + local asn=$(echo "$isp" | grep -oP 'AS\K\d+' | head -1) + if [ -n "$asn" ]; then + echo "$asn" >> "$TEMP_DIR/attack_asns" + local asn_count=$(grep -c "^${asn}$" "$TEMP_DIR/attack_asns" 2>/dev/null || echo "0") + if [ "$asn_count" -ge 3 ]; then + # Same ASN/hosting provider used by 3+ attackers + echo "$asn" >> "$TEMP_DIR/hostile_asns" + fi + fi + fi + # Apply reputation boosts based on AbuseIPDB if [ "${abuse_conf:-0}" -ge 75 ]; then # High confidence malicious - add 30 points @@ -2401,6 +2433,12 @@ monitor_network_attacks() { ) & fi + # Reputation pre-boost: IPs with existing HTTP attacks get higher SYN scoring + local http_attack_bonus=0 + if [[ "$attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL|XXE|SSRF) ]]; then + http_attack_bonus=25 # Already known attacker, very suspicious + fi + # Record attack intelligence record_attack_timestamp "$ip" record_attack_vector "$ip" "NETWORK" @@ -2469,6 +2507,31 @@ monitor_network_attacks() { fi fi + # Add HTTP attack pre-boost + conn_bonus=$((conn_bonus + http_attack_bonus)) + + # Geographic clustering bonus + local geo_bonus=0 + if [ -f "$TEMP_DIR/threat_enrich_${ip//\./_}" ]; then + local threat_data=$(cat "$TEMP_DIR/threat_enrich_${ip//\./_}") + local ip_geo=$(echo "$threat_data" | cut -d'|' -f5) + local ip_isp=$(echo "$threat_data" | cut -d'|' -f4) + + # Check if from hostile country (5+ attackers) + if [ -n "$ip_geo" ] && grep -q "^${ip_geo}$" "$TEMP_DIR/hostile_countries" 2>/dev/null; then + geo_bonus=$((geo_bonus + 10)) # Part of coordinated country-level attack + fi + + # Check if from hostile ASN (3+ attackers) + if [ -n "$ip_isp" ]; then + local ip_asn=$(echo "$ip_isp" | grep -oP 'AS\K\d+' | head -1) + if [ -n "$ip_asn" ] && grep -q "^${ip_asn}$" "$TEMP_DIR/hostile_asns" 2>/dev/null; then + geo_bonus=$((geo_bonus + 15)) # Same botnet infrastructure + fi + fi + fi + conn_bonus=$((conn_bonus + geo_bonus)) + # First hit or add to existing score if [ "${hits:-0}" -eq 1 ]; then score=$conn_bonus @@ -2532,6 +2595,9 @@ monitor_network_attacks() { [ "$attack_momentum" -ge 1 ] && intel_tags="${intel_tags}ACCEL " [ "$coordinated_attack" -eq 1 ] && intel_tags="${intel_tags}BOTNET " [ "$multi_vector" -eq 1 ] && intel_tags="${intel_tags}MULTI-VECTOR " + [ "$http_attack_bonus" -gt 0 ] && intel_tags="${intel_tags}HTTP-ATTACKER " + [ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN " + [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO " echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" fi diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 9cacb27..968e5fc 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -2358,6 +2358,13 @@ monitor_network_attacks() { # Increment hits hits=$((hits + 1)) + # Smart whitelisting: Skip IPs with successful established connections + local established_conns=$(ss -tn state established 2>/dev/null | grep -c "$ip" || echo "0") + if [ "$established_conns" -ge 5 ]; then + # IP has 5+ established connections = legitimate traffic + continue + fi + # Enhanced threat intelligence on first detection if [ "${hits:-0}" -eq 1 ]; then # Check if whitelisted service first @@ -2373,6 +2380,31 @@ monitor_network_attacks() { # Store enrichment for later use echo "$threat_intel" > "$TEMP_DIR/threat_enrich_${ip//\./_}" + # Geographic clustering detection + if [ -n "$geo" ] && [ "$geo" != "XX" ]; then + echo "$geo" >> "$TEMP_DIR/attack_countries" + # Check if this country has 5+ attacking IPs + local country_count=$(grep -c "^${geo}$" "$TEMP_DIR/attack_countries" 2>/dev/null || echo "0") + if [ "$country_count" -ge 5 ]; then + # Coordinated attack from same country - boost all IPs from there + echo "$geo" >> "$TEMP_DIR/hostile_countries" + fi + fi + + # ASN clustering detection + if [ -n "$isp" ]; then + # Extract ASN number from ISP string + local asn=$(echo "$isp" | grep -oP 'AS\K\d+' | head -1) + if [ -n "$asn" ]; then + echo "$asn" >> "$TEMP_DIR/attack_asns" + local asn_count=$(grep -c "^${asn}$" "$TEMP_DIR/attack_asns" 2>/dev/null || echo "0") + if [ "$asn_count" -ge 3 ]; then + # Same ASN/hosting provider used by 3+ attackers + echo "$asn" >> "$TEMP_DIR/hostile_asns" + fi + fi + fi + # Apply reputation boosts based on AbuseIPDB if [ "${abuse_conf:-0}" -ge 75 ]; then # High confidence malicious - add 30 points @@ -2401,6 +2433,12 @@ monitor_network_attacks() { ) & fi + # Reputation pre-boost: IPs with existing HTTP attacks get higher SYN scoring + local http_attack_bonus=0 + if [[ "$attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL|XXE|SSRF) ]]; then + http_attack_bonus=25 # Already known attacker, very suspicious + fi + # Record attack intelligence record_attack_timestamp "$ip" record_attack_vector "$ip" "NETWORK" @@ -2469,6 +2507,31 @@ monitor_network_attacks() { fi fi + # Add HTTP attack pre-boost + conn_bonus=$((conn_bonus + http_attack_bonus)) + + # Geographic clustering bonus + local geo_bonus=0 + if [ -f "$TEMP_DIR/threat_enrich_${ip//\./_}" ]; then + local threat_data=$(cat "$TEMP_DIR/threat_enrich_${ip//\./_}") + local ip_geo=$(echo "$threat_data" | cut -d'|' -f5) + local ip_isp=$(echo "$threat_data" | cut -d'|' -f4) + + # Check if from hostile country (5+ attackers) + if [ -n "$ip_geo" ] && grep -q "^${ip_geo}$" "$TEMP_DIR/hostile_countries" 2>/dev/null; then + geo_bonus=$((geo_bonus + 10)) # Part of coordinated country-level attack + fi + + # Check if from hostile ASN (3+ attackers) + if [ -n "$ip_isp" ]; then + local ip_asn=$(echo "$ip_isp" | grep -oP 'AS\K\d+' | head -1) + if [ -n "$ip_asn" ] && grep -q "^${ip_asn}$" "$TEMP_DIR/hostile_asns" 2>/dev/null; then + geo_bonus=$((geo_bonus + 15)) # Same botnet infrastructure + fi + fi + fi + conn_bonus=$((conn_bonus + geo_bonus)) + # First hit or add to existing score if [ "${hits:-0}" -eq 1 ]; then score=$conn_bonus @@ -2532,6 +2595,9 @@ monitor_network_attacks() { [ "$attack_momentum" -ge 1 ] && intel_tags="${intel_tags}ACCEL " [ "$coordinated_attack" -eq 1 ] && intel_tags="${intel_tags}BOTNET " [ "$multi_vector" -eq 1 ] && intel_tags="${intel_tags}MULTI-VECTOR " + [ "$http_attack_bonus" -gt 0 ] && intel_tags="${intel_tags}HTTP-ATTACKER " + [ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN " + [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO " echo -e "${color}[${time_str}] $ip | Score:$score [$level] | 💥SYN_FLOOD | Conns:$count | ${intel_tags}${NC}" >> "$TEMP_DIR/recent_events" fi