From e7cef6a61e34a8c791fae579e4e49717eea1c7b6 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Fri, 6 Mar 2026 23:51:44 -0500
Subject: [PATCH] BUG FIX #13 & #14: Variable scope issues with target_ports
 and has_other_traffic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ISSUE:
Two more variables (target_ports and has_other_traffic) had the same scope issue:
declared inside the skip_scoring block but used outside in intel_tags logic.

ROOT CAUSE:
Similar pattern to previous scope bugs:
- Line 2859: local has_other_traffic=0  [INSIDE skip_scoring]
- Line 2861: local target_ports=...     [INSIDE skip_scoring]
- Line 3038: [ "$has_other_traffic" -eq 0 ] && intel_tags="...SPOOFED"  [OUTSIDE]
- Line 3038: [ "${target_ports:-0}" -eq 1 ] && intel_tags="...TARGETED"  [OUTSIDE]

When skip_scoring=1 (whitelisted IP), these variables are never initialized.
Undefined variables default to empty strings in bash, causing silent failures.

IMPACT:
- Whitelisted IPs: SPOOFED and TARGETED tags never shown
- Intel tags incomplete for whitelisted IPs
- Missing important threat indicators in threat summary
- Inconsistent threat classification

TIMELINE OF FAILURE:
1. skip_scoring=1 (IP is whitelisted, e.g., 20+ established connections)
2. skip_scoring block NOT executed (lines 2761-2976)
3. has_other_traffic NEVER initialized
4. target_ports NEVER initialized
5. Line 3038-3039: Both variables undefined, conditions fail
6. SPOOFED and TARGETED tags not added to intel_tags
7. User sees incomplete threat assessment

FIX:
Move both variable declarations OUTSIDE skip_scoring block:
- Initialize: local has_other_traffic=0
- Initialize: local target_ports=0
- Use these variables in skip_scoring calculations (assign values)
- Use same variables outside skip_scoring (no re-declaration needed)

This is now the 5th variable with this scope issue (multi_vector, geo_bonus,
ratio, target_ports, has_other_traffic). All now fixed in one place.

VERIFICATION:
- Syntax: ✓ Pass
- Scope: ✓ Both variables available inside and outside skip_scoring
- Logic: ✓ Values properly propagated to intel_tags

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 modules/security/live-attack-monitor-v2.sh | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 064304a..9e4540c 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -2749,12 +2749,15 @@ monitor_network_attacks() {
                                 fi
 
                                 # CRITICAL FIX: Declare variables before skip_scoring block
-                                # Bug: multi_vector, geo_bonus, and ratio were declared inside skip_scoring but used outside
-                                # When skip_scoring=1, local vars never initialized, causing undefined variable in intel_tags logic
+                                # Bug: multi_vector, geo_bonus, ratio, target_ports, and has_other_traffic
+                                #      were declared inside skip_scoring but used outside in intel_tags logic
+                                # When skip_scoring=1, local vars never initialized, causing undefined variable errors
                                 # Fix: Move declarations outside skip_scoring so they're always available
                                 local multi_vector=0
                                 local geo_bonus=0
                                 local ratio=0
+                                local target_ports=0
+                                local has_other_traffic=0
 
                                 # Only do scoring/tracking if not whitelisted
                                 if [ "$skip_scoring" -eq 0 ]; then
@@ -2833,7 +2836,7 @@ monitor_network_attacks() {
                                     # Bug: was trying to read from individual ip_* file which may not exist
                                     # If this is first SYN detection of an IP with prior HTTP attacks, file won't exist
                                     # Result: has_other_traffic stays 0, missing indicator of multi-attack IP
-                                    local has_other_traffic=0
+                                    # Note: has_other_traffic declared outside skip_scoring block (line ~2760) for scope
                                     # If has HTTP attacks in history, not spoofed
                                     if [[ "$attacks" =~ (SQLI|XSS|BRUTE|SCAN) ]]; then
                                         has_other_traffic=1
@@ -2851,7 +2854,8 @@ monitor_network_attacks() {
                                     # Bug: Unquoted 'src "$ip"' was treated as separate arguments, not a filter expression
                                     # Result: ss silently ignores the filter and returns ALL syn-recv (giving wrong port count)
                                     # Fix: Quote the expression so ss parses it correctly: 'src IP'
-                                    local target_ports=$(ss -tn "state syn-recv src $ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
+                                    # Note: target_ports declared outside skip_scoring block (line ~2760) for scope
+                                    target_ports=$(ss -tn "state syn-recv src $ip" 2>/dev/null | grep -oP ':\d+\s+' | sort -u | wc -l)
                                     [ -z "$target_ports" ] && target_ports=0
                                     if [ "$target_ports" -eq 1 ] && [ "$count" -ge 8 ]; then
                                         conn_bonus=$((conn_bonus + 10))  # Single port = targeted attack