cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix critical function name conflict breaking live monitor detection

Browse Source 
CRITICAL BUG FOUND:
The live monitor was missing most attack detections due to a function
name conflict between legacy and ET signature systems.

Root Cause:
1. Legacy detect_all_attacks() in attack-patterns.sh
   - Returns: "SQL_INJECTION,XSS,RCE"
   - Used by update_ip_intelligence() at line 292

2. ET detect_all_attacks() in attack-signatures.sh
   - Returns: "max_severity||match_count||detailed_data"
   - OVERWRITES legacy function when sourced!

3. Source Order (live-attack-monitor.sh):
   Line 23: source attack-patterns.sh  (defines legacy function)
   Line 27: source attack-signatures.sh (OVERWRITES with ET version)

Impact:
When update_ip_intelligence() called detect_all_attacks(), it got
ET's complex format instead of simple attack names, causing:
- Parse failures (expecting "SQLI" but getting "90||2||90||SQLI||...")
- Empty attack lists
- No legacy attack detection in live monitor
- Only ET detection via analyze_http_log_line() was working

User Report:
"is the live monitor missing anything any logic or anything from
all of the signatures we imported"

YES - it was missing ALL legacy pattern detection!

Solution:
Renamed ET function to avoid conflict:
  detect_all_attacks() → detect_all_attack_signatures()

Changes Made:

1. lib/attack-signatures.sh (line 262):
   - Renamed: detect_all_attacks → detect_all_attack_signatures
   - Added comment explaining the rename reason

2. lib/http-attack-analyzer.sh (line 46):
   - Updated call: detect_all_attacks → detect_all_attack_signatures
   - This is the only legitimate caller of ET function

Now Both Systems Work:
 Legacy detect_all_attacks() - returns "SQLI,XSS"
 ET detect_all_attack_signatures() - returns detailed ET data
 ET analyze_http_log_line() - main ET detection entry point

Testing:
- Legacy function: Returns "SQL_INJECTION,HTTP_SMUGGLING" 
- ET function: Returns "90||2||90||SQLI||union_select||..." 
- No more function overwriting 

This restores full attack detection in the live monitor!
This commit is contained in:
cschantz
2025-12-13 02:54:59 -05:00
parent 589abb6963
commit ecde6dfe0c
2 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/attack-signatures.sh
+3 -2
View File
@@ -255,10 +255,11 @@ check_attack_pattern() {
}
# Get all matching patterns across all categories
# Usage: detect_all_attacks "$request_line"
# Usage: detect_all_attack_signatures "$request_line"
# Returns: max_severity|match_count|matches (space-separated)
# Each match format: severity|category|pattern_name|description
detect_all_attacks() {
# Note: Renamed to avoid conflict with legacy detect_all_attacks in attack-patterns.sh
detect_all_attack_signatures() {
local request="$1"
local matches=()
local max_severity=0