From ecde6dfe0cbba371c1ae0525451395c62db61848 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Sat, 13 Dec 2025 02:54:59 -0500
Subject: [PATCH] Fix critical function name conflict breaking live monitor
 detection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CRITICAL BUG FOUND:
The live monitor was missing most attack detections due to a function
name conflict between legacy and ET signature systems.

Root Cause:
1. Legacy detect_all_attacks() in attack-patterns.sh
   - Returns: "SQL_INJECTION,XSS,RCE"
   - Used by update_ip_intelligence() at line 292

2. ET detect_all_attacks() in attack-signatures.sh
   - Returns: "max_severity||match_count||detailed_data"
   - OVERWRITES legacy function when sourced!

3. Source Order (live-attack-monitor.sh):
   Line 23: source attack-patterns.sh  (defines legacy function)
   Line 27: source attack-signatures.sh (OVERWRITES with ET version)

Impact:
When update_ip_intelligence() called detect_all_attacks(), it got
ET's complex format instead of simple attack names, causing:
- Parse failures (expecting "SQLI" but getting "90||2||90||SQLI||...")
- Empty attack lists
- No legacy attack detection in live monitor
- Only ET detection via analyze_http_log_line() was working

User Report:
"is the live monitor missing anything any logic or anything from
all of the signatures we imported"

YES - it was missing ALL legacy pattern detection!

Solution:
Renamed ET function to avoid conflict:
  detect_all_attacks() → detect_all_attack_signatures()

Changes Made:

1. lib/attack-signatures.sh (line 262):
   - Renamed: detect_all_attacks → detect_all_attack_signatures
   - Added comment explaining the rename reason

2. lib/http-attack-analyzer.sh (line 46):
   - Updated call: detect_all_attacks → detect_all_attack_signatures
   - This is the only legitimate caller of ET function

Now Both Systems Work:
✅ Legacy detect_all_attacks() - returns "SQLI,XSS"
✅ ET detect_all_attack_signatures() - returns detailed ET data
✅ ET analyze_http_log_line() - main ET detection entry point

Testing:
- Legacy function: Returns "SQL_INJECTION,HTTP_SMUGGLING" ✅
- ET function: Returns "90||2||90||SQLI||union_select||..." ✅
- No more function overwriting ✅

This restores full attack detection in the live monitor!
---
 lib/attack-signatures.sh    | 5 +++--
 lib/http-attack-analyzer.sh | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/attack-signatures.sh b/lib/attack-signatures.sh
index b484de4..7af0147 100644
--- a/lib/attack-signatures.sh
+++ b/lib/attack-signatures.sh
@@ -255,10 +255,11 @@ check_attack_pattern() {
 }
 
 # Get all matching patterns across all categories
-# Usage: detect_all_attacks "$request_line"
+# Usage: detect_all_attack_signatures "$request_line"
 # Returns: max_severity|match_count|matches (space-separated)
 # Each match format: severity|category|pattern_name|description
-detect_all_attacks() {
+# Note: Renamed to avoid conflict with legacy detect_all_attacks in attack-patterns.sh
+detect_all_attack_signatures() {
     local request="$1"
     local matches=()
     local max_severity=0
diff --git a/lib/http-attack-analyzer.sh b/lib/http-attack-analyzer.sh
index c6c62c2..eba7a2c 100644
--- a/lib/http-attack-analyzer.sh
+++ b/lib/http-attack-analyzer.sh
@@ -43,7 +43,7 @@ Referer: $referer
 User-Agent: $user_agent"
 
     # Detect attacks using signature database
-    local attack_result=$(detect_all_attacks "$full_request" 2>/dev/null)
+    local attack_result=$(detect_all_attack_signatures "$full_request" 2>/dev/null)
 
     if [ -n "$attack_result" ]; then
         # Parse result: max_severity||match_count||matches...