cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
dd643b7d0e66a2c2335fe09438298674506ad4c0
Linux-Server-Management-Too…/tools
T
History
cschantz dd643b7d0e Rewrite historical attack analyzer to show per-IP summaries 
Issue:
User reported: "it seems to just list all possible hits"
- Old format listed every individual attack hit
- No grouping or organization by IP
- Hard to understand what each IP actually did
- No reputation context

User Request:
"show an IP, saying what it did, saying how many times it did it,
and what its reputation is"

Solution:
Completely rewrote output format to group by IP with summaries:

New Output Format:
================================================================================
ATTACKING IPs - DETAILED BREAKDOWN
================================================================================

[1] 192.168.1.100
    Attacks: 15 | Avg Score: 87 | Threat Level: CRITICAL
    Attack Types: WEBSHELL(8), SQLI(5), XSS(2)
    Reputation: AbuseIPDB 85% confidence (142 reports) | China
    Sample Targets:
      - /wp-admin/alfa-rex.php
      - /admin.php?id=1' union select...
      - /upload.php?file=../../../../etc/passwd

[2] 45.83.66.23
    Attacks: 8 | Avg Score: 92 | Threat Level: CRITICAL
    Attack Types: CMD(5), TRAVERSAL(3)
    Sample Targets:
      - /cgi-bin/admin.cgi?cmd=cat%20/etc/passwd
      - /../../../etc/shadow

Changes Made:

1. Added IP-level tracking (lines 151-153):
   - IP_ATTACK_DETAILS: Store all attack types per IP
   - IP_ATTACK_COUNT: Count total attacks per IP
   - IP_SAMPLE_URLS: Store first 3 sample URLs per IP

2. Track data during scan (lines 240-260):
   - Aggregate attack types per IP
   - Keep sample URLs for context
   - Count occurrences of each attack type

3. New output section (lines 284-352):
   - Sort IPs by cumulative threat score (worst first)
   - Calculate average score per IP
   - Count attack type occurrences: "SQLI(5), XSS(2)"
   - Show reputation from AbuseIPDB (if available)
   - Display sample target URLs for context
   - Limit to top 50 attacking IPs

4. Improved summary stats (lines 360-381):
   - Added "Unique attacking IPs" count
   - Condensed attack type summary to top 10
   - Removed redundant "Top Signatures" section

5. Source IP reputation library (line 30):
   - Optional: loads get_threat_intelligence() if available
   - Gracefully skips reputation if not available

Benefits:
 Clean per-IP summary (not a flood of individual hits)
 Shows what each IP did and how many times
 Includes reputation context from AbuseIPDB
 Sample URLs provide attack pattern examples
 Sorted by threat level (worst attackers first)
 Much easier to understand and act on
2025-12-13 02:40:34 -05:00
..
analyze-historical-attacks.sh
Rewrite historical attack analyzer to show per-IP summaries
2025-12-13 02:40:34 -05:00
diagnostic-report.sh
Fix 9 MEDIUM hardcoded /var/cpanel paths - ALL MEDIUM ISSUES RESOLVED!
2025-12-03 20:19:43 -05:00
erase-toolkit-traces.sh
Fix CRITICAL and HIGH priority QA issues
2025-12-04 16:17:59 -05:00
toolkit-qa-check.sh
Add CHECK 31 to QA script: detect 'local' outside functions
2025-12-13 02:32:12 -05:00
update-attack-signatures.sh
Add Suricata-inspired attack detection with ET Open signatures
2025-12-13 00:02:14 -05:00