Fix double-counting bug in live attack monitor ET scoring

Critical Bug Found: The same attack was being scored TWICE: 1. update_ip_intelligence() detects attack via legacy patterns → adds 85 points 2. ET detection finds same attack → adds 95 points on top 3. Result: 85 + 95 = 180 (capped at 100) Example: - Request: /wp-includes/alfa-rex.php - Legacy detection: "webshell" → +85 score - ET detection: "alfa_shell" → +95 score - Total: 180 → capped at 100 (WRONG!) Root Cause: Lines 1705 + 1731-1735 in live-attack-monitor.sh: - Line 1705: update_ip_intelligence() runs legacy detection - Line 1731: Read score from IP_DATA (includes legacy score) - Line 1731: Add ET score to existing score (DOUBLE COUNT) Fix Applied (lines 1726-1741): Changed from ADDITION to MAX selection: Before: new_score = curr_score + et_attack_score # Double counting! After: new_score = MAX(curr_score, et_attack_score) # Use higher score Logic: - If ET detects attack: Use ET score (more accurate) - If curr_score is higher: Keep it (e.g., AbuseIPDB reputation boost) - This ensures the most relevant score is used without double-counting Testing: ✅ Test 1: Legacy=85, ET=95 → Final=95 (was 100) ✅ Test 2: Reputation=110, ET=75 → Final=100 (preserved higher score) ✅ No more double counting Impact: - More accurate threat scoring - ET scores now properly reflect attack severity - Reputation scores from AbuseIPDB are preserved when higher
2025-12-13 02:37:03 -05:00
parent f07debf5c6
commit 84d06b4744
1 changed files with 10 additions and 4 deletions
@@ -1723,15 +1723,21 @@ monitor_apache_logs() {
                        # Update IP intelligence with ET attack info
                        update_ip_intelligence "$ip" "$url|ET:$et_attack_types|$et_signatures" "attack" "HTTP"

-                        # Boost IP threat score based on ET detection
+                        # Replace IP threat score with ET detection score
+                        # Note: We use ET score instead of adding it to avoid double-counting
+                        # (update_ip_intelligence already detected the same attack via legacy patterns)
                        local current_intel=$(get_ip_intelligence "$ip")
                        IFS='|' read -r curr_score curr_hits curr_bot curr_attacks curr_ban curr_rep <<< "$current_intel"

-                        # Add ET attack score to IP's total score
-                        local new_score=$((curr_score + et_attack_score))
+                        # Use ET score if it's higher than current score
+                        local new_score="$et_attack_score"
+                        if [ "$curr_score" -gt "$et_attack_score" ]; then
+                            # Keep higher score (e.g., from AbuseIPDB reputation boost)
+                            new_score="$curr_score"
+                        fi
                        [ "$new_score" -gt 100 ] && new_score=100

-                        # Update IP data with boosted score
+                        # Update IP data with ET-based score
                        IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep"

                        # Check rate anomaly