cschantz/Linux-Server-Management-Toolkit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CRITICAL: Fix massive false positives causing Score:100 on legitimate traffic

Browse Source 
Problem:
- Normal URLs like /contactus.aspx reaching Score:100
- Legitimate browser traffic being flagged as attacks
- Auto-blocking legitimate users

Root Cause #1: HTTP_SMUGGLING Detection
- Regex pattern \n matched literal letter 'n' in URLs
- ANY URL with 'n' triggered +22 point penalty
- /index.html, /contactus.aspx, /admin/login all false positives

Root Cause #2: SUSPICIOUS_UA Detection
- Pattern ^mozilla/[45]\.0 matched ALL modern browsers
- Every Chrome/Firefox/Safari user flagged as suspicious
- Added +15 points to every request
- Combined with 'suspicious' bot classification: +30 total

Impact:
Before fix:
  /contactus.aspx with Chrome = 52 points (3 false attack types)
  After 2-3 requests = Score:100 = auto-blocked

After fix:
  /contactus.aspx with Chrome = 0 points (correct)
  /contactus.aspx with curl = 15 points (correct - is suspicious)

Changes:
1. HTTP_SMUGGLING: Only check URL-encoded CRLF (%0d%0a)
   - Removed literal \r\n and \n patterns (match letters!)
   - Real attacks still detected correctly

2. SUSPICIOUS_UA: Only flag incomplete Mozilla UAs
   - Changed ^mozilla/[45]\.0 to ^mozilla/[45]\.0$
   - Now only matches bare 'Mozilla/5.0' without browser info
   - Real browsers with full UA strings are safe

Testing:
✓ /index.html with Chrome: 0 points (was 52)
✓ /contactus.aspx with Chrome: 0 points (was 52)
✓ /path%0d%0aHeader: Still detected (real attack)
✓ curl/wget UAs: Still detected (automation tools)
This commit is contained in:
cschantz
2026-01-06 18:47:35 -05:00
parent 4b6e655123
commit 02a42a98cb
1 changed files with 8 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/attack-patterns.sh
+8 -5
View File
@@ -262,7 +262,9 @@ detect_suspicious_ua() {
fi
# Generic/suspicious patterns
if [[ "$ua_lower" =~ ^(mozilla/[45]\.0|test|scanner|exploit|attack|shell) ]]; then
# Only flag Mozilla/X.0 if it's JUST that (no browser details after)
if [[ "$ua_lower" =~ ^mozilla/[45]\.0$ ]] ||
[[ "$ua_lower" =~ ^(test|scanner|exploit|attack|shell) ]]; then
return 0
fi
@@ -441,13 +443,14 @@ detect_http_smuggling() {
return 0
fi
# Suspicious chunked encoding patterns
if [[ "$url_lower" =~ (\r\n|\n|%0d%0a|%0a|\\r\\n|\\n) ]]; then
# Suspicious chunked encoding patterns (URL-encoded CRLF)
if [[ "$url_lower" =~ (%0d%0a|%0a%0d|%0d|%0a) ]]; then
return 0
fi
# CRLF injection attempts
if [[ "$url" =~ (%0d%0a|%0a%0d|%0d|%0a|\r\n|\n\r) ]]; then
# CRLF injection attempts (URL-encoded only, not literal newlines)
# Note: Literal \r\n in URLs would be encoded by browsers, so only check encoded forms
if [[ "$url" =~ (%0d%0a|%0a%0d|%0d|%0a) ]]; then
return 0
fi