cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix critical function name conflict breaking live monitor detection

Browse Source 
CRITICAL BUG FOUND:
The live monitor was missing most attack detections due to a function
name conflict between legacy and ET signature systems.

Root Cause:
1. Legacy detect_all_attacks() in attack-patterns.sh
   - Returns: "SQL_INJECTION,XSS,RCE"
   - Used by update_ip_intelligence() at line 292

2. ET detect_all_attacks() in attack-signatures.sh
   - Returns: "max_severity||match_count||detailed_data"
   - OVERWRITES legacy function when sourced!

3. Source Order (live-attack-monitor.sh):
   Line 23: source attack-patterns.sh  (defines legacy function)
   Line 27: source attack-signatures.sh (OVERWRITES with ET version)

Impact:
When update_ip_intelligence() called detect_all_attacks(), it got
ET's complex format instead of simple attack names, causing:
- Parse failures (expecting "SQLI" but getting "90||2||90||SQLI||...")
- Empty attack lists
- No legacy attack detection in live monitor
- Only ET detection via analyze_http_log_line() was working

User Report:
"is the live monitor missing anything any logic or anything from
all of the signatures we imported"

YES - it was missing ALL legacy pattern detection!

Solution:
Renamed ET function to avoid conflict:
  detect_all_attacks() → detect_all_attack_signatures()

Changes Made:

1. lib/attack-signatures.sh (line 262):
   - Renamed: detect_all_attacks → detect_all_attack_signatures
   - Added comment explaining the rename reason

2. lib/http-attack-analyzer.sh (line 46):
   - Updated call: detect_all_attacks → detect_all_attack_signatures
   - This is the only legitimate caller of ET function

Now Both Systems Work:
 Legacy detect_all_attacks() - returns "SQLI,XSS"
 ET detect_all_attack_signatures() - returns detailed ET data
 ET analyze_http_log_line() - main ET detection entry point

Testing:
- Legacy function: Returns "SQL_INJECTION,HTTP_SMUGGLING" 
- ET function: Returns "90||2||90||SQLI||union_select||..." 
- No more function overwriting 

This restores full attack detection in the live monitor!
This commit is contained in:
cschantz
2025-12-13 02:54:59 -05:00
parent 16537b1ff0
commit 9826b79c54
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/http-attack-analyzer.sh
+1 -1
View File
@@ -43,7 +43,7 @@ Referer: $referer
User-Agent: $user_agent"
# Detect attacks using signature database
local attack_result=$(detect_all_attacks "$full_request" 2>/dev/null)
local attack_result=$(detect_all_attack_signatures "$full_request" 2>/dev/null)
if [ -n "$attack_result" ]; then
# Parse result: max_severity||match_count||matches...