From 8a154753bd6d6461332e749bd99bb0c8bd2e8d4f Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 6 Mar 2026 23:51:10 -0500 Subject: [PATCH] BUG FIX #12: Variable scope issue with ratio (SYN/ESTABLISHED ratio detection) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ISSUE: The SYN/ESTABLISHED ratio detection calculates a ratio value inside the skip_scoring block but uses it later in the intel_tags logic OUTSIDE the block. When skip_scoring=1 (whitelisted IP), the ratio variable is never initialized. ROOT CAUSE: Similar to BUG #10 (multi_vector, geo_bonus), the ratio variable was declared as 'local' INSIDE the skip_scoring conditional block (line 2814), but referenced at line 3030 which is OUTSIDE the block: - Line 2814: local ratio=$((count * 10 / established_conns)) [INSIDE skip_scoring] - Line 3030: [ "${ratio:-0}" -ge 30 ] && intel_tags="..." [OUTSIDE skip_scoring] IMPACT: - Whitelisted IPs: BAD-RATIO tag never shown (even if suspicious ratio exists) - For skip_scoring=1 IPs, ratio defaults to 0 via ${ratio:-0} - Intel tags incomplete for whitelisted IPs with bad SYN/ESTABLISHED ratios - Threat assessment missing important ratio indicator BEHAVIOR WITH BUG: 1. When skip_scoring=0: ratio is calculated and used (works) 2. When skip_scoring=1: ratio never initialized - [ "${ratio:-0}" -ge 30 ] → [ "${:-0}" -ge 30 ] → always false - BAD-RATIO tag not added to intel_tags - Misleading threat summary for whitelisted IPs FIX: Move ratio variable declaration OUTSIDE skip_scoring block (before line 2755). Initialize to 0 like the other variables (multi_vector, geo_bonus). Remove duplicate declaration inside skip_scoring block. Result: ratio is always initialized and available for intel_tags logic. LINES CHANGED: - Added: local ratio=0 declaration before skip_scoring block - Removed: local ratio=... from line 2814 - Changed: local ratio= to just ratio= on line 2814 VERIFICATION: - Syntax: ✓ Pass - Scope: ✓ Variable available both inside and outside skip_scoring - Logic: ✓ Consistent with other scope-dependent variables Co-Authored-By: Claude Haiku 4.5 --- modules/security/live-attack-monitor-v2.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index de3ec5b..064304a 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2749,11 +2749,12 @@ monitor_network_attacks() { fi # CRITICAL FIX: Declare variables before skip_scoring block - # Bug: multi_vector and geo_bonus were declared inside skip_scoring but used outside + # Bug: multi_vector, geo_bonus, and ratio were declared inside skip_scoring but used outside # When skip_scoring=1, local vars never initialized, causing undefined variable in intel_tags logic # Fix: Move declarations outside skip_scoring so they're always available local multi_vector=0 local geo_bonus=0 + local ratio=0 # Only do scoring/tracking if not whitelisted if [ "$skip_scoring" -eq 0 ]; then @@ -2809,9 +2810,10 @@ monitor_network_attacks() { # 2. SYN/ESTABLISHED ratio detection # Normal: More ESTABLISHED than SYN_RECV # Attacker: More SYN_RECV than ESTABLISHED (or 0 established) + # Note: ratio declared outside skip_scoring block (line ~2755) for scope if [ "$established_conns" -gt 0 ]; then # Calculate ratio (multiply by 10 for integer math) - local ratio=$((count * 10 / established_conns)) + ratio=$((count * 10 / established_conns)) if [ "$ratio" -ge 30 ]; then conn_bonus=$((conn_bonus + 15)) # 3:1 ratio = suspicious elif [ "$ratio" -ge 20 ]; then