Add context-aware scoring (geo, ISP, time-of-day)

Completes the 10th intelligence system: Context-Aware Scoring: - Night attacks (2am-5am server time) = +8pts suspicious timing - High-risk geography (CN, RU, etc) = +5pts - Residential ISP attacking servers = +10pts suspicious source (Comcast, Verizon, AT&T, cable/DSL/fiber residential connections) Integration: - Integrated into SSH monitoring with other intelligence - Uses threat enrichment data from AbuseIPDB lookups - Adds context reasons to CSF block messages Example enhanced block reason: "Score=98 Intel:HIGH_VELOCITY:20/hr+BOT_PATTERN+NIGHT_ATTACK:3h+RESIDENTIAL_ISP" All 10 intelligence systems now operational in SSH monitoring
2025-11-14 16:45:50 -05:00
parent 0857944c9b
commit c9bfa211c0
1 changed files with 49 additions and 0 deletions
@@ -650,6 +650,46 @@ apply_reputation_decay() {
    done
 }

+# Context-aware scoring (geo, ISP, time-of-day)
+# Returns: context_bonus|reason
+calculate_context_bonus() {
+    local ip="$1"
+    local now=$(date +%s)
+
+    local bonus=0
+    local reasons=""
+
+    # Time-of-day analysis (attacks at odd hours = suspicious)
+    local hour=$(date +%H)
+    if [ "$hour" -ge 2 ] && [ "$hour" -le 5 ]; then
+        # Attacks between 2am-5am (server timezone) = suspicious
+        bonus=$((bonus + 8))
+        reasons="NIGHT_ATTACK:${hour}h"
+    fi
+
+    # Check geolocation if available (from threat intelligence)
+    if [ -f "$TEMP_DIR/threat_enrich_${ip//\./_}" ]; then
+        local threat_data=$(cat "$TEMP_DIR/threat_enrich_${ip//\./_}")
+        IFS='|' read -r abuse_conf abuse_rpts country isp geo timing whitelisted <<< "$threat_data"
+
+        # High-risk country already detected
+        if is_high_risk_country "${geo:-XX}" 2>/dev/null; then
+            bonus=$((bonus + 5))
+            [ -n "$reasons" ] && reasons="${reasons}+" || reasons=""
+            reasons="${reasons}HIGH_RISK_GEO:${geo}"
+        fi
+
+        # Residential ISP (suspicious for server attacks)
+        if echo "$isp" | grep -qiE "(comcast|verizon|att|residential|cable|dsl|fiber|broadband)"; then
+            bonus=$((bonus + 10))
+            [ -n "$reasons" ] && reasons="${reasons}+" || reasons=""
+            reasons="${reasons}RESIDENTIAL_ISP"
+        fi
+    fi
+
+    echo "${bonus}|${reasons}"
+}
+
 # Get threat level from score
 get_threat_level() {
    local score="$1"
@@ -1182,6 +1222,15 @@ monitor_ssh_attacks() {
                        block_reasons="${block_reasons}${subnet_reason}"
                    fi

+                    # 5. Context-aware bonus (geo, ISP, time)
+                    local context_data=$(calculate_context_bonus "$ip")
+                    IFS='|' read -r context_bonus context_reason <<< "$context_data"
+                    if [ "$context_bonus" -gt 0 ]; then
+                        score=$((score + context_bonus))
+                        [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons=""
+                        block_reasons="${block_reasons}${context_reason}"
+                    fi
+
                    # Cap at 100
                    [ $score -gt 100 ] && score=100