diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index de3ec5b..064304a 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2749,11 +2749,12 @@ monitor_network_attacks() { fi # CRITICAL FIX: Declare variables before skip_scoring block - # Bug: multi_vector and geo_bonus were declared inside skip_scoring but used outside + # Bug: multi_vector, geo_bonus, and ratio were declared inside skip_scoring but used outside # When skip_scoring=1, local vars never initialized, causing undefined variable in intel_tags logic # Fix: Move declarations outside skip_scoring so they're always available local multi_vector=0 local geo_bonus=0 + local ratio=0 # Only do scoring/tracking if not whitelisted if [ "$skip_scoring" -eq 0 ]; then @@ -2809,9 +2810,10 @@ monitor_network_attacks() { # 2. SYN/ESTABLISHED ratio detection # Normal: More ESTABLISHED than SYN_RECV # Attacker: More SYN_RECV than ESTABLISHED (or 0 established) + # Note: ratio declared outside skip_scoring block (line ~2755) for scope if [ "$established_conns" -gt 0 ]; then # Calculate ratio (multiply by 10 for integer math) - local ratio=$((count * 10 / established_conns)) + ratio=$((count * 10 / established_conns)) if [ "$ratio" -ge 30 ]; then conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious elif [ "$ratio" -ge 20 ]; then