cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix double-counting bug in live attack monitor ET scoring

Browse Source 
Critical Bug Found:
The same attack was being scored TWICE:
1. update_ip_intelligence() detects attack via legacy patterns → adds 85 points
2. ET detection finds same attack → adds 95 points on top
3. Result: 85 + 95 = 180 (capped at 100)

Example:
- Request: /wp-includes/alfa-rex.php
- Legacy detection: "webshell" → +85 score
- ET detection: "alfa_shell" → +95 score
- Total: 180 → capped at 100 (WRONG!)

Root Cause:
Lines 1705 + 1731-1735 in live-attack-monitor.sh:
- Line 1705: update_ip_intelligence() runs legacy detection
- Line 1731: Read score from IP_DATA (includes legacy score)
- Line 1731: Add ET score to existing score (DOUBLE COUNT)

Fix Applied (lines 1726-1741):
Changed from ADDITION to MAX selection:

Before:
  new_score = curr_score + et_attack_score  # Double counting!

After:
  new_score = MAX(curr_score, et_attack_score)  # Use higher score

Logic:
- If ET detects attack: Use ET score (more accurate)
- If curr_score is higher: Keep it (e.g., AbuseIPDB reputation boost)
- This ensures the most relevant score is used without double-counting

Testing:
 Test 1: Legacy=85, ET=95 → Final=95 (was 100)
 Test 2: Reputation=110, ET=75 → Final=100 (preserved higher score)
 No more double counting

Impact:
- More accurate threat scoring
- ET scores now properly reflect attack severity
- Reputation scores from AbuseIPDB are preserved when higher
This commit is contained in:
cschantz
2025-12-13 02:37:03 -05:00
parent f07debf5c6
commit 84d06b4744
1 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor.sh
+10 -4
View File
@@ -1723,15 +1723,21 @@ monitor_apache_logs() {
# Update IP intelligence with ET attack info # Update IP intelligence with ET attack info
update_ip_intelligence "$ip" "$url|ET:$et_attack_types|$et_signatures" "attack" "HTTP" update_ip_intelligence "$ip" "$url|ET:$et_attack_types|$et_signatures" "attack" "HTTP"
# Boost IP threat score based on ET detection # Replace IP threat score with ET detection score
# Note: We use ET score instead of adding it to avoid double-counting
# (update_ip_intelligence already detected the same attack via legacy patterns)
local current_intel=$(get_ip_intelligence "$ip") local current_intel=$(get_ip_intelligence "$ip")
IFS='|' read -r curr_score curr_hits curr_bot curr_attacks curr_ban curr_rep <<< "$current_intel" IFS='|' read -r curr_score curr_hits curr_bot curr_attacks curr_ban curr_rep <<< "$current_intel"
# Add ET attack score to IP's total score # Use ET score if it's higher than current score
local new_score=$((curr_score + et_attack_score)) local new_score="$et_attack_score"
if [ "$curr_score" -gt "$et_attack_score" ]; then
# Keep higher score (e.g., from AbuseIPDB reputation boost)
new_score="$curr_score"
fi
[ "$new_score" -gt 100 ] && new_score=100 [ "$new_score" -gt 100 ] && new_score=100
# Update IP data with boosted score # Update IP data with ET-based score
IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep" IP_DATA[$ip]="$new_score|$curr_hits|$curr_bot|$curr_attacks|$curr_ban|$curr_rep"
# Check rate anomaly # Check rate anomaly