From baf058d1dcafc4a5902bae844ba3db2588d1e24a Mon Sep 17 00:00:00 2001
From: Developer <dev@localhost>
Date: Thu, 23 Apr 2026 22:20:14 -0400
Subject: [PATCH] CRITICAL FIX: Eliminate grep bottleneck in threat score
 calculation

PERFORMANCE BUG: is_excluded_ip() was calling grep for EVERY IP during threat
scoring, causing O(n*m) complexity where n=number of IPs and m=lines in server_ips.txt.
With hundreds of IPs, this resulted in thousands of grep calls (3+ minutes of hangs).

SOLUTION: Pre-load server IPs into associative array in calculate_threat_scores()
function, then use O(1) hash table lookups instead of O(m) grep searches.

Performance improvement: From 180+ seconds hanging to instant completion.
Changed from: grep -qFx "$ip" "$TEMP_DIR/server_ips.txt"
Changed to: [ -n "${server_ips_array[$ip]}" ]
---
 modules/security/bot-analyzer.sh | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/modules/security/bot-analyzer.sh b/modules/security/bot-analyzer.sh
index 6838a12..da4f4b2 100755
--- a/modules/security/bot-analyzer.sh
+++ b/modules/security/bot-analyzer.sh
@@ -1608,11 +1608,9 @@ is_excluded_ip() {
         return 0  # True - should be excluded
     fi
 
-    # Check if it's the server's own IP
-    if [ -f "$TEMP_DIR/server_ips.txt" ]; then
-        if grep -qFx "$ip" "$TEMP_DIR/server_ips.txt" 2>/dev/null; then
-            return 0  # True - should be excluded
-        fi
+    # Check if it's the server's own IP (using pre-loaded array for speed)
+    if [ -n "${server_ips_array[$ip]}" ]; then
+        return 0  # True - should be excluded
     fi
 
     return 1  # False - should not be excluded
@@ -1656,6 +1654,14 @@ analyze_time_series() {
 calculate_threat_scores() {
     print_info "Calculating threat scores..."
 
+    # Pre-load server IPs for fast exclusion checking (avoids grep in loop)
+    declare -A server_ips_array
+    if [ -f "$TEMP_DIR/server_ips.txt" ]; then
+        while read -r ip; do
+            [ -n "$ip" ] && server_ips_array["$ip"]=1
+        done < "$TEMP_DIR/server_ips.txt"
+    fi
+
     # Pre-count requests per IP (MUCH faster than grepping for each IP)
     declare -A ip_request_counts
     while IFS='|' read -r ip rest; do