diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh index 4e56b27..fcee20f 100755 --- a/modules/security/live-attack-monitor.sh +++ b/modules/security/live-attack-monitor.sh @@ -1527,6 +1527,11 @@ monitor_email_attacks() { hits=$((hits + 1)) + # Record timestamp and vector for intelligence + record_attack_timestamp "$ip" + record_attack_vector "$ip" "EMAIL" + track_subnet_attack "$ip" + # Add BRUTEFORCE to attacks if [[ ! "$attacks" =~ BRUTEFORCE ]]; then [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" @@ -1538,10 +1543,54 @@ monitor_email_attacks() { else score=$((score + 8)) fi + + # Apply advanced intelligence bonuses + local block_reasons="" + local velocity_data=$(calculate_attack_velocity "$ip") + IFS='|' read -r vel_count vel_bonus vel_reason <<< "$velocity_data" + [ "$vel_bonus" -gt 0 ] && score=$((score + vel_bonus)) && block_reasons="${vel_reason}" + + local div_data=$(calculate_diversity_bonus "$ip") + IFS='|' read -r div_count div_bonus div_reason <<< "$div_data" + if [ "$div_bonus" -gt 0 ]; then + score=$((score + div_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${div_reason}" + fi + + local pattern_data=$(detect_timing_pattern "$ip") + IFS='|' read -r pat_type pat_conf pat_bonus pat_reason <<< "$pattern_data" + if [ "$pat_bonus" -gt 0 ]; then + score=$((score + pat_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${pat_reason}" + fi + + local subnet_data=$(calculate_subnet_bonus "$ip") + IFS='|' read -r subnet_count subnet_bonus subnet_reason <<< "$subnet_data" + if [ "$subnet_bonus" -gt 0 ]; then + score=$((score + subnet_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${subnet_reason}" + fi + + local context_data=$(calculate_context_bonus "$ip") + IFS='|' read -r context_bonus context_reason <<< "$context_data" + if [ "$context_bonus" -gt 0 ]; then + score=$((score + context_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${context_reason}" + fi + [ $score -gt 100 ] && score=100 IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + # Store block reasons for CSF + if [ -n "$block_reasons" ]; then + echo "$block_reasons" > "$TEMP_DIR/block_reason_${ip//\./_}" + fi + # Log to reputation DB flag_ip_attack "$ip" "BRUTEFORCE" 0 "Email authentication failure" >/dev/null 2>&1 & @@ -1585,6 +1634,11 @@ monitor_ftp_attacks() { hits=$((hits + 1)) + # Record timestamp and vector for intelligence + record_attack_timestamp "$ip" + record_attack_vector "$ip" "FTP" + track_subnet_attack "$ip" + # Add BRUTEFORCE to attacks if [[ ! "$attacks" =~ BRUTEFORCE ]]; then [ -z "$attacks" ] && attacks="BRUTEFORCE" || attacks="${attacks},BRUTEFORCE" @@ -1596,10 +1650,54 @@ monitor_ftp_attacks() { else score=$((score + 8)) fi + + # Apply advanced intelligence bonuses + local block_reasons="" + local velocity_data=$(calculate_attack_velocity "$ip") + IFS='|' read -r vel_count vel_bonus vel_reason <<< "$velocity_data" + [ "$vel_bonus" -gt 0 ] && score=$((score + vel_bonus)) && block_reasons="${vel_reason}" + + local div_data=$(calculate_diversity_bonus "$ip") + IFS='|' read -r div_count div_bonus div_reason <<< "$div_data" + if [ "$div_bonus" -gt 0 ]; then + score=$((score + div_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${div_reason}" + fi + + local pattern_data=$(detect_timing_pattern "$ip") + IFS='|' read -r pat_type pat_conf pat_bonus pat_reason <<< "$pattern_data" + if [ "$pat_bonus" -gt 0 ]; then + score=$((score + pat_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${pat_reason}" + fi + + local subnet_data=$(calculate_subnet_bonus "$ip") + IFS='|' read -r subnet_count subnet_bonus subnet_reason <<< "$subnet_data" + if [ "$subnet_bonus" -gt 0 ]; then + score=$((score + subnet_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${subnet_reason}" + fi + + local context_data=$(calculate_context_bonus "$ip") + IFS='|' read -r context_bonus context_reason <<< "$context_data" + if [ "$context_bonus" -gt 0 ]; then + score=$((score + context_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${context_reason}" + fi + [ $score -gt 100 ] && score=100 IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + # Store block reasons for CSF + if [ -n "$block_reasons" ]; then + echo "$block_reasons" > "$TEMP_DIR/block_reason_${ip//\./_}" + fi + # Log to reputation DB flag_ip_attack "$ip" "BRUTEFORCE" 0 "FTP login failure" >/dev/null 2>&1 & @@ -1643,6 +1741,11 @@ monitor_database_attacks() { hits=$((hits + 1)) + # Record timestamp and vector for intelligence + record_attack_timestamp "$ip" + record_attack_vector "$ip" "DATABASE" + track_subnet_attack "$ip" + # Add SQL_INJECTION to attacks local is_new_attack=0 if [[ ! "$attacks" =~ SQL_INJECTION ]]; then @@ -1656,10 +1759,54 @@ monitor_database_attacks() { else score=$((score + 12)) fi + + # Apply advanced intelligence bonuses + local block_reasons="" + local velocity_data=$(calculate_attack_velocity "$ip") + IFS='|' read -r vel_count vel_bonus vel_reason <<< "$velocity_data" + [ "$vel_bonus" -gt 0 ] && score=$((score + vel_bonus)) && block_reasons="${vel_reason}" + + local div_data=$(calculate_diversity_bonus "$ip") + IFS='|' read -r div_count div_bonus div_reason <<< "$div_data" + if [ "$div_bonus" -gt 0 ]; then + score=$((score + div_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${div_reason}" + fi + + local pattern_data=$(detect_timing_pattern "$ip") + IFS='|' read -r pat_type pat_conf pat_bonus pat_reason <<< "$pattern_data" + if [ "$pat_bonus" -gt 0 ]; then + score=$((score + pat_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${pat_reason}" + fi + + local subnet_data=$(calculate_subnet_bonus "$ip") + IFS='|' read -r subnet_count subnet_bonus subnet_reason <<< "$subnet_data" + if [ "$subnet_bonus" -gt 0 ]; then + score=$((score + subnet_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${subnet_reason}" + fi + + local context_data=$(calculate_context_bonus "$ip") + IFS='|' read -r context_bonus context_reason <<< "$context_data" + if [ "$context_bonus" -gt 0 ]; then + score=$((score + context_bonus)) + [ -n "$block_reasons" ] && block_reasons="${block_reasons}+" || block_reasons="" + block_reasons="${block_reasons}${context_reason}" + fi + [ $score -gt 100 ] && score=100 IP_DATA[$ip]="$score|$hits|$bot_type|$attacks|$ban_count|$rep_score" + # Store block reasons for CSF + if [ -n "$block_reasons" ]; then + echo "$block_reasons" > "$TEMP_DIR/block_reason_${ip//\./_}" + fi + # Log to reputation DB flag_ip_attack "$ip" "SQL_INJECTION" 0 "MySQL authentication failure" >/dev/null 2>&1 &