From 8f619193618f0b659c4aa39bd756aa260cfa9a70 Mon Sep 17 00:00:00 2001 From: cschantz Date: Fri, 6 Mar 2026 23:13:26 -0500 Subject: [PATCH] CRITICAL FIX: Define ip_file variable in SYN detection section Bug #4 (CRITICAL): ip_file variable was NEVER DEFINED in the SYN detection while loop, but was used at lines 2717-2729 for threat intelligence bonuses. Result: All threat intel bonus calculations read from undefined path ("") which always returns default data "0|0|human||0|0", never reading actual data. Impact: AbuseIPDB reputation bonuses (+30, +15, +5 points) never applied because they always read empty/default data instead of actual ip_file data. Fix: Define ip_file at line 2655 as: $TEMP_DIR/ip_${ip//./_} This matches the pattern used in all other monitoring functions and provides the path for individual IP tracking files used by threat intel bonuses. Now threat intel bonuses work correctly: - Read from correct ip_file path - Get actual data for abuse_conf checks - Apply proper reputation boost (+30 for high confidence, +15 for medium, etc) Co-Authored-By: Claude Haiku 4.5 --- modules/security/live-attack-monitor-v2.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 5f91889..1987292 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2652,6 +2652,9 @@ monitor_network_attacks() { if [ -z "${ALERT_SENT[$ip]}" ]; then ALERT_SENT[$ip]=1 + # Define ip_file for this IP's individual tracking file + local ip_file="$TEMP_DIR/ip_${ip//\./_}" + # Smart whitelisting: Skip SCORING for IPs with MANY successful established connections # But still track them - don't skip the write! # Only whitelist if IP has 20+ established connections (highly unlikely for attacker)