ISSUE:
Single-target focus detection (identifying botnets that attack specific ports)
was non-functional due to incorrect ss command syntax.
ROOT CAUSE:
Line 2836 used unquoted ss expression filter:
ss -tn state syn-recv src "$ip" 2>/dev/null
When bash expands the variable, ss receives:
ss -tn state syn-recv src 1.2.3.4
The ss filter EXPRESSION syntax requires quotes for proper parsing:
ss [OPTIONS] 'state syn-recv src 1.2.3.4'
Without quotes, ss treats 'src' and '1.2.3.4' as separate positional arguments
(not part of the EXPRESSION), causing the filter to be silently ignored.
BEHAVIOR WITH BUG:
1. ss silently ignores invalid unquoted filter
2. Returns ALL syn-recv connections instead of just ones from target IP
3. grep finds no matching ports (header line only)
4. target_ports=0
5. Bonus NOT applied (conditions check for target_ports >= 1)
6. Single-target detection completely non-functional
FIX:
Quote the ss EXPRESSION so it's parsed correctly:
ss -tn "state syn-recv src $ip" 2>/dev/null
This properly constructs the EXPRESSION and filters by source IP address.
IMPACT:
- Single-port targeted attacks now properly detected and scored (+10 bonus)
- Multi-target attacks (2 ports) properly identified (+5 bonus)
- More accurate threat classification of botnet attack patterns
VERIFICATION:
- Syntax: ✓ Pass
- ss filter format: ✓ Correct (matches man page EXPRESSION syntax)
- Variable quoting: ✓ Safe (IP addresses are numeric, no injection risk)
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
cschantz
0206237449