From dd163f6db12a9f2b5d01711e9ca49bf9979a3b04 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Sat, 13 Dec 2025 02:18:54 -0500
Subject: [PATCH] Fix ET Open detection display in live monitor + add more
 webshell signatures
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Issues fixed:
1. ET detection was running but not displaying results
   - Detection was happening but only stored in intelligence DB
   - Display was showing old attack detection instead
   - Now shows ET detection with 🛡️ icon and attack types
   - Shows rate anomaly score with 🌊 icon when elevated

2. Added more webshell signatures:
   - alfa/alfa-rex/alfanew (Alfa Team shells)
   - mini.php, phpspy, antichat, idx, indoxploit
   - Suspicious PHP files in wrong locations (admin.php in wp-includes, etc.)

Display format changes:
- Old: [01:25:35] 194.5.82.127 | Score:100 [CRITICAL] | ❓85 | /alfa-rex.php
- New: [01:25:35] 194.5.82.127 | Score:100 [CRITICAL] | 🛡️ET:WEBSHELL,TRAVERSAL | /alfa-rex.php

Features:
- Uses ET score if higher than legacy score
- Shows both ET detection and legacy detection when appropriate
- Rate flooding adds to combined score
- Auto-blocks at combined score ≥90

Tested:
- alfa-rex.php: Score 100, WEBSHELL detected ✅
- admin.php: Score 100, WEBSHELL detected ✅
- ws.php7: Score 95, UPLOAD detected ✅
- All syntax validated ✅
---
 lib/attack-signatures.sh                |  3 ++
 modules/security/live-attack-monitor.sh | 49 ++++++++++++++++++-------
 2 files changed, 39 insertions(+), 13 deletions(-)

diff --git a/lib/attack-signatures.sh b/lib/attack-signatures.sh
index b8dae77..b484de4 100644
--- a/lib/attack-signatures.sh
+++ b/lib/attack-signatures.sh
@@ -164,6 +164,9 @@ ATTACK_INCLUSION["lfi_proc"]="/proc/self/environ|/proc/self/fd||85||Process file
 ATTACK_WEBSHELL["known_shells"]="c99\\.php|r57\\.php|b374k|wso\\.php||95||Known webshell filename"
 ATTACK_WEBSHELL["known_shells2"]="shell\\.php|cmd\\.php|backdoor\\.php|webshell\\.php||95||Generic webshell filename"
 ATTACK_WEBSHELL["china_shells"]="caidao|chopper|godzilla|behinder||95||Chinese webshell"
+ATTACK_WEBSHELL["alfa_shell"]="alfa|alfanew|alfa-rex|alfacgiapi||95||Alfa Team webshell"
+ATTACK_WEBSHELL["common_shells"]="mini\\.php|phpspy|antichat|idx|indoxploit||95||Common webshells"
+ATTACK_WEBSHELL["suspicious_php"]="admin\\.php|wp-config\\.php|configuration\\.php.*\\?|index\\.php\\?||85||Suspicious PHP in wrong location"
 
 # Upload script abuse
 ATTACK_WEBSHELL["upload_shell"]="upload\\.php|uploader\\.php|file_upload\\.php||85||Upload script abuse"
diff --git a/modules/security/live-attack-monitor.sh b/modules/security/live-attack-monitor.sh
index 1e91007..cad2086 100755
--- a/modules/security/live-attack-monitor.sh
+++ b/modules/security/live-attack-monitor.sh
@@ -1705,34 +1705,39 @@ monitor_apache_logs() {
             update_ip_intelligence "$ip" "$url" "$user_agent" "$method"
 
             # Enhanced attack detection using ET Open signatures
+            local et_attack_score=0
+            local et_attack_types=""
+            local et_signatures=""
+            local et_rate_score=0
+
             if type analyze_http_log_line &>/dev/null; then
                 local attack_result=$(analyze_http_log_line "$line" 2>/dev/null)
                 if [ -n "$attack_result" ]; then
-                    local attack_score="${attack_result%%||*}"
-                    if [ "$attack_score" -gt 0 ]; then
+                    et_attack_score="${attack_result%%||*}"
+                    if [ "$et_attack_score" -gt 0 ]; then
                         local temp="${attack_result#*||}"
-                        local attack_types="${temp%%||*}"
+                        et_attack_types="${temp%%||*}"
                         temp="${temp#*||}"
-                        local signatures="${temp%%||*}"
+                        et_signatures="${temp%%||*}"
 
                         # Record attack with higher score
-                        update_ip_intelligence "$ip" "$url|ET:$attack_types|$signatures" "attack" "HTTP"
+                        update_ip_intelligence "$ip" "$url|ET:$et_attack_types|$et_signatures" "attack" "HTTP"
 
                         # Check rate anomaly
                         if type record_request &>/dev/null && type detect_rate_anomaly &>/dev/null; then
                             record_request "$ip"
                             local rate_result=$(detect_rate_anomaly "$ip" 2>/dev/null)
-                            local rate_score="${rate_result%%||*}"
+                            et_rate_score="${rate_result%%||*}"
 
                             # Combine scores
-                            local combined_score=$((attack_score + rate_score))
+                            local combined_score=$((et_attack_score + et_rate_score))
                             [ "$combined_score" -gt 100 ] && combined_score=100
 
                             # Auto-block critical attacks
                             if [ "$combined_score" -ge 90 ]; then
-                                echo "[CRITICAL] Auto-blocking $ip (Score: $combined_score, Attacks: $attack_types)" >> "$TEMP_DIR/recent_events"
+                                echo "[CRITICAL] Auto-blocking $ip (Score: $combined_score, Attacks: $et_attack_types)" >> "$TEMP_DIR/recent_events"
                                 if type quick_block_ip &>/dev/null; then
-                                    quick_block_ip "$ip" "ET:$attack_types" &
+                                    quick_block_ip "$ip" "ET:$et_attack_types" &
                                 fi
                             fi
                         fi
@@ -1747,22 +1752,40 @@ monitor_apache_logs() {
             # Determine if this is a threat
             local level=$(get_threat_level "$score")
 
-            # Log all traffic with attacks, or score > 0, or suspicious bots
+            # Log all traffic with attacks, or score > 0, or suspicious bots, or ET detection
             # This ensures we see everything interesting, not just high scores
-            if [ "$score" -gt 0 ] || [ -n "$attacks" ] || [ "$bot_type" = "suspicious" ]; then
+            if [ "$score" -gt 0 ] || [ -n "$attacks" ] || [ "$bot_type" = "suspicious" ] || [ "$et_attack_score" -gt 0 ]; then
                 local color=$(get_threat_color "$level")
                 local time_str=$(date +"%H:%M:%S")
 
+                # Use ET score if higher than regular score
+                local display_score="$score"
+                if [ "$et_attack_score" -gt "$score" ]; then
+                    display_score="$et_attack_score"
+                    level=$(get_threat_level "$et_attack_score")
+                    color=$(get_threat_color "$level")
+                fi
+
                 # Build log line
                 local log_line="${color}[${time_str}] $ip"
-                log_line+=" | Score:$score [$level]"
+                log_line+=" | Score:$display_score [$level]"
+
+                # Show ET detection if found
+                if [ "$et_attack_score" -gt 0 ]; then
+                    log_line+=" | 🛡️ET:$et_attack_types"
+                    # Show rate info if elevated
+                    if [ "$et_rate_score" -gt 0 ]; then
+                        log_line+=" | 🌊Rate:+$et_rate_score"
+                    fi
+                fi
 
                 # Show bot type if interesting
                 if [ "$bot_type" = "suspicious" ] || [ "$bot_type" = "ai" ]; then
                     log_line+=" | Bot:$bot_type"
                 fi
 
-                if [ -n "$attacks" ]; then
+                # Show legacy attacks if no ET detection
+                if [ -n "$attacks" ] && [ "$et_attack_score" -eq 0 ]; then
                     local first_attack=$(echo "$attacks" | cut -d',' -f1)
                     local icon=$(get_attack_icon "$first_attack")
                     log_line+=" | $icon$first_attack"