ISSUE:
When an IP has a history of HTTP attacks (SQLI, XSS, RCE, etc.) and is later
detected performing a SYN flood attack, the code failed to recognize it as a
multi-vector/sophisticated attacker.
ROOT CAUSE:
Lines 2821 and 2852 were reading attack history from individual ip_* files:
if [ -f "$TEMP_DIR/ip_${ip//\./_}" ]; then
local existing_attacks=$(cut -d'|' -f4 "$TEMP_DIR/ip_${ip//\./_}" ...)
fi
But the individual ip_* file:
1. May not exist on FIRST SYN detection (created only after SYN detection written)
2. May be out of sync with centralized ip_data file
3. Is unnecessary - attack history was already loaded and parsed!
TIMELINE OF FAILURE:
1. IP performs HTTP attacks (SQLI) → stored in centralized ip_data
2. Script loads from ip_data: attacks="SQLI" (line 2597) ✓ Correct!
3. Code then IGNORES $attacks variable
4. Code checks if individual ip_* file exists → doesn't exist yet
5. Condition fails → has_other_traffic=0, multi_vector=0
6. Multi-vector bonus (+30) NOT applied
7. Spoofed source bonus (+20) incorrectly applied
IMPACT:
- Attacks by known sophisticated attackers (prior HTTP attacks) missed +30 bonus
- False positives for spoofed source detection on first SYN occurrence
- Historical attack context completely ignored on SYN detection
FIX:
Use the already-loaded and correct $attacks variable instead of attempting
file I/O on potentially non-existent or stale individual IP files.
LINES CHANGED:
- 2821: Read from $attacks instead of ip_file
- 2852: Read from $attacks instead of ip_file
VERIFICATION:
- Syntax: ✓ Pass
- Logic: ✓ Uses centralized data source (consistent with line 2597)
- Performance: ✓ Eliminates unnecessary file I/O
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
cschantz
bec70c35bb