Fix ET Open detection display in live monitor + add more webshell signatures

Issues fixed:
1. ET detection was running but not displaying results
   - Detection was happening but only stored in intelligence DB
   - Display was showing old attack detection instead
   - Now shows ET detection with 🛡️ icon and attack types
   - Shows rate anomaly score with 🌊 icon when elevated

2. Added more webshell signatures:
   - alfa/alfa-rex/alfanew (Alfa Team shells)
   - mini.php, phpspy, antichat, idx, indoxploit
   - Suspicious PHP files in wrong locations (admin.php in wp-includes, etc.)

Display format changes:
- Old: [01:25:35] 194.5.82.127 | Score:100 [CRITICAL] | ❓85 | /alfa-rex.php
- New: [01:25:35] 194.5.82.127 | Score:100 [CRITICAL] | 🛡️ET:WEBSHELL,TRAVERSAL | /alfa-rex.php

Features:
- Uses ET score if higher than legacy score
- Shows both ET detection and legacy detection when appropriate
- Rate flooding adds to combined score
- Auto-blocks at combined score ≥90

Tested:
- alfa-rex.php: Score 100, WEBSHELL detected ✅
- admin.php: Score 100, WEBSHELL detected ✅
- ws.php7: Score 95, UPLOAD detected ✅
- All syntax validated ✅

lib/attack-signatures.sh

@@ -164,6 +164,9 @@ ATTACK_INCLUSION["lfi_proc"]="/proc/self/environ|/proc/self/fd||85||Process file
 ATTACK_WEBSHELL["known_shells"]="c99\\.php|r57\\.php|b374k|wso\\.php||95||Known webshell filename"
 ATTACK_WEBSHELL["known_shells2"]="shell\\.php|cmd\\.php|backdoor\\.php|webshell\\.php||95||Generic webshell filename"
 ATTACK_WEBSHELL["china_shells"]="caidao|chopper|godzilla|behinder||95||Chinese webshell"
+ATTACK_WEBSHELL["alfa_shell"]="alfa|alfanew|alfa-rex|alfacgiapi||95||Alfa Team webshell"
+ATTACK_WEBSHELL["common_shells"]="mini\\.php|phpspy|antichat|idx|indoxploit||95||Common webshells"
+ATTACK_WEBSHELL["suspicious_php"]="admin\\.php|wp-config\\.php|configuration\\.php.*\\?|index\\.php\\?||85||Suspicious PHP in wrong location"
 
 # Upload script abuse
 ATTACK_WEBSHELL["upload_shell"]="upload\\.php|uploader\\.php|file_upload\\.php||85||Upload script abuse"