Implement time-based learning: IPs detected multiple times with SYN activity
should have lower thresholds on subsequent detections.
Logic:
- First detection (hits=1): threshold as configured
- Second detection (hits=2): threshold -= 1 (easier to detect again)
- Third+ detection (hits=3+): threshold -= 2 (very suspicious if pattern repeats)
This catches persistent attackers that probe at low levels repeatedly.
Previous behavior: reset tracking after each scan, preventing pattern recognition.
New behavior: track hits across scans, recognize repeat offenders.
Example: IP with 4 connections detected twice
- First time: threshold=3, count=4 > 3 → detected ✓
- Second time: threshold=3-1=2, count=4 > 2 → detected again ✓
- Third time: threshold=3-2=1, count=4 > 1 → caught even at 2 connections ✓
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
cschantz
3946a84e58