From c4bdf9e73fa78b3e3def44dfd3a9191d1b566dda Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Mar 2026 23:44:19 -0500
Subject: [PATCH] BUG FIX #7: Geo_bonus tagging logic using conditional
 precedence (elif)

ISSUE:
When an IP was detected in BOTH a hostile country AND hostile ASN:
  - Hostile country = +10 geo_bonus
  - Hostile ASN = +15 geo_bonus
  - Combined = +25 geo_bonus total

Using elif logic meant only ONE tag was shown:
  - [ "$geo_bonus" -ge 15 ] && tag "HOSTILE-ASN" (TRUE, added tag)
  - elif [ "$geo_bonus" -lt 15 ] && tag "HOSTILE-GEO" (FALSE, skipped)

Result: IPs with BOTH conditions only showed "HOSTILE-ASN" tag, hiding
the country-based threat intelligence.

ROOT CAUSE:
Lines 2991-2992 used elif conditional structure that prevented both
tags from being set when geo_bonus >= 25.

FIX:
Replaced elif logic with independent flag-based checks:
  1. Check if geo_bonus >= 15 (hostile ASN indicator)
  2. Check if 10 <= geo_bonus < 15 (hostile country only)
  3. Special case: if geo_bonus >= 25, set BOTH flags (indicating dual threat)

This allows proper tagging of coordinated attacks from both hostile
countries AND hostile ASNs.

IMPACT:
- IPs from coordinated botnets in hostile jurisdictions now properly
  show both "HOSTILE-ASN" and "HOSTILE-GEO" tags
- Improved threat visibility for geographic clustering analysis
- No performance impact (simple flag checks)

LINES CHANGED: 2991-2992 (expanded to ~2991-3008 for clarity)

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/security/live-attack-monitor-v2.sh | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 6f905d0..e73bcfe 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2988,8 +2988,25 @@ monitor_network_attacks() {
                                 [ "$coordinated_attack" -eq 1 ] && intel_tags="${intel_tags}BOTNET "
                                 [ "$multi_vector" -eq 1 ] && intel_tags="${intel_tags}MULTI-VECTOR "
                                 [ "$http_attack_bonus" -gt 0 ] && intel_tags="${intel_tags}HTTP-ATTACKER "
-                                [ "$geo_bonus" -ge 15 ] && intel_tags="${intel_tags}HOSTILE-ASN "
-                                [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ] && intel_tags="${intel_tags}HOSTILE-GEO "
+                                # CRITICAL FIX: Fixed conditional precedence for geo tagging
+                                # Bug: Using elif logic caused mutual exclusion - couldn't show both tags
+                                # If geo_bonus = 25 (both hostile country + ASN), only showed "HOSTILE-ASN"
+                                # Should show BOTH tags if both conditions are true
+                                local is_hostile_asn=0
+                                local is_hostile_geo=0
+                                if [ "$geo_bonus" -ge 15 ]; then
+                                    is_hostile_asn=1
+                                fi
+                                if [ "$geo_bonus" -ge 10 ] && [ "$geo_bonus" -lt 15 ]; then
+                                    is_hostile_geo=1
+                                fi
+                                # Special case: if geo_bonus >= 25, it's from BOTH sources (10 + 15)
+                                if [ "$geo_bonus" -ge 25 ]; then
+                                    is_hostile_asn=1
+                                    is_hostile_geo=1
+                                fi
+                                [ "$is_hostile_asn" -eq 1 ] && intel_tags="${intel_tags}HOSTILE-ASN "
+                                [ "$is_hostile_geo" -eq 1 ] && intel_tags="${intel_tags}HOSTILE-GEO "
 
                                 # SYN-specific intelligence tags
                                 [ "$established_conns" -eq 0 ] && [ "$count" -ge 5 ] && intel_tags="${intel_tags}PURE-SYN "