ISSUE:
Two more variables (target_ports and has_other_traffic) had the same scope issue:
declared inside the skip_scoring block but used outside in intel_tags logic.
ROOT CAUSE:
Similar pattern to previous scope bugs:
- Line 2859: local has_other_traffic=0 [INSIDE skip_scoring]
- Line 2861: local target_ports=... [INSIDE skip_scoring]
- Line 3038: [ "$has_other_traffic" -eq 0 ] && intel_tags="...SPOOFED" [OUTSIDE]
- Line 3038: [ "${target_ports:-0}" -eq 1 ] && intel_tags="...TARGETED" [OUTSIDE]
When skip_scoring=1 (whitelisted IP), these variables are never initialized.
Undefined variables default to empty strings in bash, causing silent failures.
IMPACT:
- Whitelisted IPs: SPOOFED and TARGETED tags never shown
- Intel tags incomplete for whitelisted IPs
- Missing important threat indicators in threat summary
- Inconsistent threat classification
TIMELINE OF FAILURE:
1. skip_scoring=1 (IP is whitelisted, e.g., 20+ established connections)
2. skip_scoring block NOT executed (lines 2761-2976)
3. has_other_traffic NEVER initialized
4. target_ports NEVER initialized
5. Line 3038-3039: Both variables undefined, conditions fail
6. SPOOFED and TARGETED tags not added to intel_tags
7. User sees incomplete threat assessment
FIX:
Move both variable declarations OUTSIDE skip_scoring block:
- Initialize: local has_other_traffic=0
- Initialize: local target_ports=0
- Use these variables in skip_scoring calculations (assign values)
- Use same variables outside skip_scoring (no re-declaration needed)
This is now the 5th variable with this scope issue (multi_vector, geo_bonus,
ratio, target_ports, has_other_traffic). All now fixed in one place.
VERIFICATION:
- Syntax: ✓ Pass
- Scope: ✓ Both variables available inside and outside skip_scoring
- Logic: ✓ Values properly propagated to intel_tags
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
cschantz
e7cef6a61e