Fix critical function name conflict breaking live monitor detection
CRITICAL BUG FOUND: The live monitor was missing most attack detections due to a function name conflict between legacy and ET signature systems. Root Cause: 1. Legacy detect_all_attacks() in attack-patterns.sh - Returns: "SQL_INJECTION,XSS,RCE" - Used by update_ip_intelligence() at line 292 2. ET detect_all_attacks() in attack-signatures.sh - Returns: "max_severity||match_count||detailed_data" - OVERWRITES legacy function when sourced! 3. Source Order (live-attack-monitor.sh): Line 23: source attack-patterns.sh (defines legacy function) Line 27: source attack-signatures.sh (OVERWRITES with ET version) Impact: When update_ip_intelligence() called detect_all_attacks(), it got ET's complex format instead of simple attack names, causing: - Parse failures (expecting "SQLI" but getting "90||2||90||SQLI||...") - Empty attack lists - No legacy attack detection in live monitor - Only ET detection via analyze_http_log_line() was working User Report: "is the live monitor missing anything any logic or anything from all of the signatures we imported" YES - it was missing ALL legacy pattern detection! Solution: Renamed ET function to avoid conflict: detect_all_attacks() → detect_all_attack_signatures() Changes Made: 1. lib/attack-signatures.sh (line 262): - Renamed: detect_all_attacks → detect_all_attack_signatures - Added comment explaining the rename reason 2. lib/http-attack-analyzer.sh (line 46): - Updated call: detect_all_attacks → detect_all_attack_signatures - This is the only legitimate caller of ET function Now Both Systems Work: ✅ Legacy detect_all_attacks() - returns "SQLI,XSS" ✅ ET detect_all_attack_signatures() - returns detailed ET data ✅ ET analyze_http_log_line() - main ET detection entry point Testing: - Legacy function: Returns "SQL_INJECTION,HTTP_SMUGGLING" ✅ - ET function: Returns "90||2||90||SQLI||union_select||..." ✅ - No more function overwriting ✅ This restores full attack detection in the live monitor!
This commit is contained in:
cschantz
@@ -255,10 +255,11 @@ check_attack_pattern() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
# Get all matching patterns across all categories
|
# Get all matching patterns across all categories
|
||||||
# Usage: detect_all_attacks "$request_line"
|
# Usage: detect_all_attack_signatures "$request_line"
|
||||||
# Returns: max_severity|match_count|matches (space-separated)
|
# Returns: max_severity|match_count|matches (space-separated)
|
||||||
# Each match format: severity|category|pattern_name|description
|
# Each match format: severity|category|pattern_name|description
|
||||||
detect_all_attacks() {
|
# Note: Renamed to avoid conflict with legacy detect_all_attacks in attack-patterns.sh
|
||||||
|
detect_all_attack_signatures() {
|
||||||
local request="$1"
|
local request="$1"
|
||||||
local matches=()
|
local matches=()
|
||||||
local max_severity=0
|
local max_severity=0
|
||||||
|
|||||||
@@ -43,7 +43,7 @@ Referer: $referer
|
|||||||
User-Agent: $user_agent"
|
User-Agent: $user_agent"
|
||||||
|
|
||||||
# Detect attacks using signature database
|
# Detect attacks using signature database
|
||||||
local attack_result=$(detect_all_attacks "$full_request" 2>/dev/null)
|
local attack_result=$(detect_all_attack_signatures "$full_request" 2>/dev/null)
|
||||||
|
|
||||||
if [ -n "$attack_result" ]; then
|
if [ -n "$attack_result" ]; then
|
||||||
# Parse result: max_severity||match_count||matches...
|
# Parse result: max_severity||match_count||matches...
|
||||||
|
|||||||
Reference in New Issue
Block a user