Lower threshold for traffic visibility - show all attacks and suspicious activity

- Changed from 'score >= 40' to 'score > 0 OR has attacks OR suspicious bot'
- Now shows ALL interesting traffic, not just high-scoring threats
- Added bot type display for suspicious/AI bots
- Users will see much more activity in the feed

This fixes the issue where legitimate attacks weren't showing because
they hadn't accumulated enough score yet.

modules/security/live-attack-monitor.sh

@@ -596,8 +596,9 @@ monitor_apache_logs() {
             # Determine if this is a threat
             local level=$(get_threat_level "$score")
 
-            # Only log medium+ threats or attacks
-            if [ "$score" -ge "$THREAT_THRESHOLD_MEDIUM" ] || [ -n "$attacks" ]; then
+            # Log all traffic with attacks, or score > 0, or suspicious bots
+            # This ensures we see everything interesting, not just high scores
+            if [ "$score" -gt 0 ] || [ -n "$attacks" ] || [ "$bot_type" = "suspicious" ]; then
                 local color=$(get_threat_color "$level")
                 local time_str=$(date +"%H:%M:%S")
 
@@ -605,6 +606,11 @@ monitor_apache_logs() {
                 local log_line="${color}[${time_str}] $ip"
                 log_line+=" | Score:$score [$level]"
 
+                # Show bot type if interesting
+                if [ "$bot_type" = "suspicious" ] || [ "$bot_type" = "ai" ]; then
+                    log_line+=" | Bot:$bot_type"
+                fi
+
                 if [ -n "$attacks" ]; then
                     local first_attack=$(echo "$attacks" | cut -d',' -f1)
                     local icon=$(get_attack_icon "$first_attack")