Add centralized IP reputation tracking system
Created a comprehensive IP reputation system that tracks IPs across all toolkit scripts with tags/attack types, scores, and detailed analytics. NEW FILES: - lib/ip-reputation.sh: Core reputation library with optimized database * Fast lookup using pipe-delimited file format * Attack type tagging system (bitmask: SQL, XSS, RCE, Bot, Scanner, etc.) * Reputation scoring (0-100) based on hits and attack severity * GeoIP country lookup integration * Automatic cleanup of old entries * Thread-safe with file locking - modules/security/ip-reputation-manager.sh: Interactive management tool * Query individual IPs with full details * View top malicious/active IPs * Database statistics and analytics * Manual IP flagging/whitelisting * Import IPs from logs * Export to readable reports * Live monitoring mode INTEGRATION: All security and analysis scripts now use the centralized reputation system: - modules/website/500-error-tracker.sh: * Tracks IPs generating 500 errors * Tags bots/scanners with BOT/SCANNER flags * Background processing for performance - modules/security/live-attack-monitor.sh: * Maps attack types to reputation flags * Tracks SSH bruteforce, SQL injection, XSS, DDoS, etc. * Real-time reputation updates - modules/website/website-error-analyzer.sh: * Tags filtered bots in error analysis * Builds IP reputation from website errors - launcher.sh: * Added IP Reputation Manager to Bot & Traffic Analysis menu * Menu option 4 in Security > Analysis > Bot & Traffic Analysis KEY FEATURES: ✓ Centralized IP tracking across ALL scripts ✓ Multi-tag system (IP can have multiple attack types) ✓ Reputation scores increase with more tags/attacks ✓ Country tracking via GeoIP ✓ Optimized for high-volume traffic (attacks with 1000s of IPs) ✓ Fast lookups even during DDoS ✓ Background processing doesn't slow down analysis ✓ Database cleanup/maintenance tools ✓ Export for reports and sharing BENEFITS: - Single source of truth for IP reputation - Scripts share intelligence (bot detected in one script = flagged for all) - Track IPs across time and multiple attack vectors - Identify repeat offenders with multiple attack types - Make blocking decisions based on comprehensive data - Performance optimized with file locking and background updates 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
cschantz
+10
-8
@@ -222,10 +222,11 @@ show_bot_analysis_menu() {
|
||||
echo -e " ${CYAN}1)${NC} Full Bot Analysis - Complete scan (all logs)"
|
||||
echo -e " ${CYAN}2)${NC} Quick Scan (1 hour) - Recent activity only"
|
||||
echo -e " ${CYAN}3)${NC} Live Monitor - Real-time threat tracking"
|
||||
echo -e " ${CYAN}4)${NC} IP Lookup & Investigation - Deep-dive on specific IP"
|
||||
echo -e " ${CYAN}5)${NC} DDoS Pattern Detector - Identify DDoS attacks"
|
||||
echo -e " ${CYAN}6)${NC} Traffic Pattern Analysis - Bandwidth & connection patterns"
|
||||
echo -e " ${CYAN}7)${NC} User-Agent Analysis - Bot fingerprinting"
|
||||
echo -e " ${CYAN}4)${NC} IP Reputation Manager - Query/manage IP database (NEW!)"
|
||||
echo -e " ${CYAN}5)${NC} IP Lookup & Investigation - Deep-dive on specific IP"
|
||||
echo -e " ${CYAN}6)${NC} DDoS Pattern Detector - Identify DDoS attacks"
|
||||
echo -e " ${CYAN}7)${NC} Traffic Pattern Analysis - Bandwidth & connection patterns"
|
||||
echo -e " ${CYAN}8)${NC} User-Agent Analysis - Bot fingerprinting"
|
||||
echo ""
|
||||
echo -e " ${RED}0)${NC} Back to Analysis Menu"
|
||||
echo ""
|
||||
@@ -983,15 +984,16 @@ handle_bot_analysis_menu() {
|
||||
1) run_module "security" "bot-analyzer.sh" ;;
|
||||
2) run_module "security" "bot-analyzer.sh" -H "${QUICK_SCAN_HOURS:-1}" ;;
|
||||
3) run_module "security" "live-monitor.sh" ;;
|
||||
4)
|
||||
4) run_module "security" "ip-reputation-manager.sh" ;;
|
||||
5)
|
||||
show_banner
|
||||
echo -e "${BOLD}IP Lookup & Investigation${NC}"
|
||||
read -p "Enter IP address: " ip
|
||||
[ -n "$ip" ] && run_module "security" "ip-lookup.sh" "$ip"
|
||||
;;
|
||||
5) run_module "security" "ddos-detector.sh" ;;
|
||||
6) run_module "security" "traffic-pattern-analysis.sh" ;;
|
||||
7) run_module "security" "user-agent-analysis.sh" ;;
|
||||
6) run_module "security" "ddos-detector.sh" ;;
|
||||
7) run_module "security" "traffic-pattern-analysis.sh" ;;
|
||||
8) run_module "security" "user-agent-analysis.sh" ;;
|
||||
0) return ;;
|
||||
*) echo -e "${RED}Invalid option${NC}"; sleep 1 ;;
|
||||
esac
|
||||
|
||||
Reference in New Issue
Block a user