diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh
index 388a62c..50b3403 100644
--- a/lib/attack-patterns.sh
+++ b/lib/attack-patterns.sh
@@ -262,7 +262,9 @@ detect_suspicious_ua() {
     fi
 
     # Generic/suspicious patterns
-    if [[ "$ua_lower" =~ ^(mozilla/[45]\.0|test|scanner|exploit|attack|shell) ]]; then
+    # Only flag Mozilla/X.0 if it's JUST that (no browser details after)
+    if [[ "$ua_lower" =~ ^mozilla/[45]\.0$ ]] ||
+       [[ "$ua_lower" =~ ^(test|scanner|exploit|attack|shell) ]]; then
         return 0
     fi
 
@@ -441,13 +443,14 @@ detect_http_smuggling() {
         return 0
     fi
 
-    # Suspicious chunked encoding patterns
-    if [[ "$url_lower" =~ (\r\n|\n|%0d%0a|%0a|\\r\\n|\\n) ]]; then
+    # Suspicious chunked encoding patterns (URL-encoded CRLF)
+    if [[ "$url_lower" =~ (%0d%0a|%0a%0d|%0d|%0a) ]]; then
         return 0
     fi
 
-    # CRLF injection attempts
-    if [[ "$url" =~ (%0d%0a|%0a%0d|%0d|%0a|\r\n|\n\r) ]]; then
+    # CRLF injection attempts (URL-encoded only, not literal newlines)
+    # Note: Literal \r\n in URLs would be encoded by browsers, so only check encoded forms
+    if [[ "$url" =~ (%0d%0a|%0a%0d|%0d|%0a) ]]; then
         return 0
     fi