From 85b8c41fced2e853eb347007bedc87a814d4eb2a Mon Sep 17 00:00:00 2001 From: cschantz Date: Thu, 13 Nov 2025 23:12:26 -0500 Subject: [PATCH] Lower threshold for traffic visibility - show all attacks and suspicious activity - Changed from 'score >= 40' to 'score > 0 OR has attacks OR suspicious bot' - Now shows ALL interesting traffic, not just high-scoring threats - Added bot type display for suspicious/AI bots - Users will see much more activity in the feed This fixes the issue where legitimate attacks weren't showing because they hadn't accumulated enough score yet. --- modules/security/live-attack-monitor.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 9a20c4d..e76d517 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -596,8 +596,9 @@ monitor_apache_logs() { # Determine if this is a threat local level=$(get_threat_level "$score") - # Only log medium+ threats or attacks - if [ "$score" -ge "$THREAT_THRESHOLD_MEDIUM" ] || [ -n "$attacks" ]; then + # Log all traffic with attacks, or score > 0, or suspicious bots + # This ensures we see everything interesting, not just high scores + if [ "$score" -gt 0 ] || [ -n "$attacks" ] || [ "$bot_type" = "suspicious" ]; then local color=$(get_threat_color "$level") local time_str=$(date +"%H:%M:%S") @@ -605,6 +606,11 @@ monitor_apache_logs() { local log_line="${color}[${time_str}] $ip" log_line+=" | Score:$score [$level]" + # Show bot type if interesting + if [ "$bot_type" = "suspicious" ] || [ "$bot_type" = "ai" ]; then + log_line+=" | Bot:$bot_type" + fi + if [ -n "$attacks" ]; then local first_attack=$(echo "$attacks" | cut -d',' -f1) local icon=$(get_attack_icon "$first_attack")