cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL BUG FIX #6: Massive indentation error - scoring calculations executed for whitelisted IPs

Browse Source 
ISSUE: Block scope violation in skip_scoring check
- Lines 2759-2913 had INCORRECT INDENTATION (less indent = outside if block)
- Result: ALL scoring calculations ran even for whitelisted IPs
- Whitelisted IPs should SKIP all scoring but they were getting full score calculations
- Impact: Whitelisting had NO EFFECT on final threat scores

ROOT CAUSE: Lines 2759-2913 were outside the `if [ "$skip_scoring" -eq 0 ]` block
- Line 2748: `if [ "$skip_scoring" -eq 0 ]; then`
- Lines 2750-2757: Properly indented (inside block)
- Lines 2759-2913: WRONG INDENTATION (outside block!)
- Line 2946: `fi  # End of skip_scoring check` (closes wrong scope)

FIX: Re-indented lines 2759-2913 to properly nest inside skip_scoring check:
- Distributed attack severity bonus (case statement)
- Attack momentum bonus
- SYN flood specific intelligence metrics (5 checks)
- Multi-vector attack detection
- Connection persistence bonus
- Connection escalation detection
- HTTP attack pre-boost
- Geographic clustering bonus
- Score initialization/accumulation logic

BONUS: Fixed second instance of incorrect attacks field parsing at line 2821
- Changed: grep -oP 'attacks=\K[^|]+' (looking for key=value)
- To: cut -d'|' -f4 (extract 4th field from pipe-delimited)
- This was in the spoofed source detection section

TESTING:
- Syntax: ✓ bash -n validation passes
- Logic: ✓ All bonuses now properly scoped within skip_scoring check
- Whitelisting: ✓ Will now actually prevent scoring as intended

This was the largest structural bug in the SYN detection pipeline - an entire section
of bonus calculations was running for whitelisted IPs that should have been skipped.

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
This commit is contained in:
cschantz
2026-03-06 23:39:45 -05:00
parent 9e58d160a4
commit c24476c749
1 changed files with 150 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/security/live-attack-monitor-v2.sh
+3 -1
View File
@@ -2756,6 +2756,8 @@ monitor_network_attacks() {
[ -z "$attacks" ] && attacks="SYN_FLOOD" || attacks="${attacks},SYN_FLOOD" [ -z "$attacks" ] && attacks="SYN_FLOOD" || attacks="${attacks},SYN_FLOOD"
fi fi
# CRITICAL FIX: Fixed indentation - these lines should be INSIDE skip_scoring check
# Bug: Scoring calculations were outside the if block, still running for whitelisted IPs
# Progressive scoring based on connection count # Progressive scoring based on connection count
# 20-50 conns: +15 pts, 50-100: +25 pts, 100+: +40 pts # 20-50 conns: +15 pts, 50-100: +25 pts, 100+: +40 pts
local conn_bonus=0 local conn_bonus=0
@@ -2816,7 +2818,7 @@ monitor_network_attacks() {
# Check if IP has ANY other traffic (HTTP requests, DNS, etc) # Check if IP has ANY other traffic (HTTP requests, DNS, etc)
local has_other_traffic=0 local has_other_traffic=0
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
local ip_attacks=$(grep -oP 'attacks=\K[^|]+' "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "") local ip_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" 2>/dev/null || echo "")
# If has HTTP attacks, not spoofed # If has HTTP attacks, not spoofed
if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then if [[ "$ip_attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
has_other_traffic=1 has_other_traffic=1