Integrate enhanced attack detection into live-attack-monitor
INTEGRATION FIX:
Updated live-attack-monitor.sh to pass user_agent and ip parameters to detect_all_attacks() function, enabling all 25 attack detection patterns.
CHANGES:
- lib/attack-patterns.sh: detect_all_attacks() signature updated to accept 4 parameters:
* url (required)
* method (optional, default: GET)
* user_agent (optional) - enables SUSPICIOUS_UA and BOT_FINGERPRINT detection
* ip (optional) - enables ANONYMIZER detection
- modules/security/live-attack-monitor.sh line 260:
OLD: local new_attacks=$(detect_all_attacks "$url" "$method")
NEW: local new_attacks=$(detect_all_attacks "$url" "$method" "$user_agent" "$ip")
IMPACT:
Live-attack-monitor now detects all 25 attack types in real-time:
- URL-based attacks (SQL, XSS, Path, RCE, XXE, SSRF, etc.) ✓
- Application attacks (CMS, e-commerce, API abuse, credential stuffing) ✓
- Protocol attacks (HTTP smuggling, LDAP, file upload, GraphQL) ✓
- Behavioral detection (suspicious UA, bot fingerprinting) ✓ NEW
- Network-based (Tor/VPN detection when external data available) ✓ NEW
BACKWARD COMPATIBILITY:
- user_agent and ip are optional parameters
- Existing calls with just url+method still work
- bot-analyzer.sh uses AWK for batch performance (no changes needed)
TESTING NOTES:
- Syntax validated: bash -n passed
- All new detection patterns now active in real-time monitoring
- Attack scoring includes behavioral and network-based threats
- Icons and colors display correctly for all 25 attack types
cschantz
7da636ef61