CRITICAL FIX: Define ip_file variable in SYN detection section

Bug #4 (CRITICAL): ip_file variable was NEVER DEFINED in the SYN detection while loop, but was used at lines 2717-2729 for threat intelligence bonuses. Result: All threat intel bonus calculations read from undefined path ("") which always returns default data "0|0|human||0|0", never reading actual data. Impact: AbuseIPDB reputation bonuses (+30, +15, +5 points) never applied because they always read empty/default data instead of actual ip_file data. Fix: Define ip_file at line 2655 as: $TEMP_DIR/ip_${ip//./_} This matches the pattern used in all other monitoring functions and provides the path for individual IP tracking files used by threat intel bonuses. Now threat intel bonuses work correctly: - Read from correct ip_file path - Get actual data for abuse_conf checks - Apply proper reputation boost (+30 for high confidence, +15 for medium, etc) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
2026-03-06 23:13:26 -05:00
parent 26d9559676
commit 8f61919361
1 changed files with 3 additions and 0 deletions
@@ -2652,6 +2652,9 @@ monitor_network_attacks() {
                            if [ -z "${ALERT_SENT[$ip]}" ]; then
                                ALERT_SENT[$ip]=1

+                                # Define ip_file for this IP's individual tracking file
+                                local ip_file="$TEMP_DIR/ip_${ip//\./_}"
+
                                # Smart whitelisting: Skip SCORING for IPs with MANY successful established connections
                                # But still track them - don't skip the write!
                                # Only whitelist if IP has 20+ established connections (highly unlikely for attacker)