diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh index 6f905d0..e73bcfe 100755 --- a/modules/security/live-attack-monitor-v2.sh +++ b/modules/security/live-attack-monitor-v2.sh @@ -2988,8 +2988,25 @@ monitor_network_attacks() { [ "$coordinated_attack" -eq 1 ] && intel_tags="${intel_tags}BOTNET " [ "$multi_vector" -eq 1 ] && intel_tags="${intel_tags}MULTI-VECTOR " [ "$http_attack_bonus" -gt 0 ] && intel_tags="${intel_tags}HTTP-ATTACKER " - [ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN " - [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO " + # CRITICAL FIX: Fixed conditional precedence for geo tagging + # Bug: Using elif logic caused mutual exclusion - couldn't show both tags + # If geo_bonus = 25 (both hostile country + ASN), only showed "HOSTILE-ASN" + # Should show BOTH tags if both conditions are true + local is_hostile_asn=0 + local is_hostile_geo=0 + if [ "$geo_bonus" -ge 15 ]; then + is_hostile_asn=1 + fi + if [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ]; then + is_hostile_geo=1 + fi + # Special case: if geo_bonus >= 25, it's from BOTH sources (10 + 15) + if [ "$geo_bonus" -ge 25 ]; then + is_hostile_asn=1 + is_hostile_geo=1 + fi + [ "$is_hostile_asn" -eq 1 ] && intel_tags="${intel_tags}HOSTILE-ASN " + [ "$is_hostile_geo" -eq 1 ] && intel_tags="${intel_tags}HOSTILE-GEO " # SYN-specific intelligence tags [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ] && intel_tags="${intel_tags}PURE-SYN "