From bec70c35bbd6248d6174f65ca9515dfe74bed9b8 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Mar 2026 23:45:27 -0500
Subject: [PATCH] BUG FIX #8: Multi-vector attack detection using stale
 individual IP files
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ISSUE:
When an IP has a history of HTTP attacks (SQLI, XSS, RCE, etc.) and is later
detected performing a SYN flood attack, the code failed to recognize it as a
multi-vector/sophisticated attacker.

ROOT CAUSE:
Lines 2821 and 2852 were reading attack history from individual ip_* files:
  if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
      local existing_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" ...)
  fi

But the individual ip_* file:
1. May not exist on FIRST SYN detection (created only after SYN detection written)
2. May be out of sync with centralized ip_data file
3. Is unnecessary - attack history was already loaded and parsed!

TIMELINE OF FAILURE:
1. IP performs HTTP attacks (SQLI) → stored in centralized ip_data
2. Script loads from ip_data: attacks="SQLI" (line 2597) ✓ Correct!
3. Code then IGNORES $attacks variable
4. Code checks if individual ip_* file exists → doesn't exist yet
5. Condition fails → has_other_traffic=0, multi_vector=0
6. Multi-vector bonus (+30) NOT applied
7. Spoofed source bonus (+20) incorrectly applied

IMPACT:
- Attacks by known sophisticated attackers (prior HTTP attacks) missed +30 bonus
- False positives for spoofed source detection on first SYN occurrence
- Historical attack context completely ignored on SYN detection

FIX:
Use the already-loaded and correct $attacks variable instead of attempting
file I/O on potentially non-existent or stale individual IP files.

LINES CHANGED:
- 2821: Read from $attacks instead of ip_file
- 2852: Read from $attacks instead of ip_file

VERIFICATION:
- Syntax: ✓ Pass
- Logic: ✓ Uses centralized data source (consistent with line 2597)
- Performance: ✓ Eliminates unnecessary file I/O

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/security/live-attack-monitor-v2.sh | 30 ++++++++++------------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index e73bcfe..af6466d 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2816,13 +2816,14 @@ monitor_network_attacks() {
 
                                     # 4. Spoofed source detection (high SYN, low other traffic)
                                     # Check if IP has ANY other traffic (HTTP requests, DNS, etc)
+                                    # CRITICAL FIX: Use already-loaded $attacks variable from ip_data (line 2597)
+                                    # Bug: was trying to read from individual ip_* file which may not exist
+                                    # If this is first SYN detection of an IP with prior HTTP attacks, file won't exist
+                                    # Result: has_other_traffic stays 0, missing indicator of multi-attack IP
                                     local has_other_traffic=0
-                                    if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
-                                        local ip_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
-                                        # If has HTTP attacks, not spoofed
-                                        if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
-                                            has_other_traffic=1
-                                        fi
+                                    # If has HTTP attacks in history, not spoofed
+                                    if [[ "$attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
+                                        has_other_traffic=1
                                     fi
 
                                     # High SYN but no other traffic = likely spoofed source
@@ -2843,17 +2844,14 @@ monitor_network_attacks() {
 
                                     # Multi-vector attack detection: Check if IP also has HTTP attacks
                                     # This indicates sophisticated attacker (SYN flood + application layer)
+                                    # CRITICAL FIX: Use already-loaded $attacks variable from ip_data (line 2597)
+                                    # Bug: was trying to read from individual ip_* file which may not exist
+                                    # If this is first SYN detection of an IP with prior HTTP attacks, file won't exist
+                                    # Result: multi_vector stays 0, missing the sophisticated attacker indicator
                                     local multi_vector=0
-                                    if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
-                                        # CRITICAL FIX: Parse pipe-delimited format correctly
-                                        # File format: score|hits|bot_type|attacks|ban_count|rep_score
-                                        # Bug: was trying to parse 'attacks=' key which doesn't exist
-                                        # Fixed: Use cut to extract 4th field (attacks)
-                                        local existing_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
-                                        if [[ "$existing_attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then
-                                            multi_vector=1
-                                            conn_bonus=$((conn_bonus + 30))  # Multi-vector = very dangerous
-                                        fi
+                                    if [[ "$attacks" =~ (SQLI|XSS|RCE|LFI|RFI|WEBSHELL) ]]; then
+                                        multi_vector=1
+                                        conn_bonus=$((conn_bonus + 30))  # Multi-vector = very dangerous
                                     fi
 
                                     # Connection persistence bonus (repeated detections of same IP)