From 02a42a98cb7c4e0343807e4cbd1fa79ae8b6aad8 Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Tue, 6 Jan 2026 18:47:35 -0500
Subject: [PATCH] CRITICAL: Fix massive false positives causing Score:100 on
 legitimate traffic
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem:
- Normal URLs like /contactus.aspx reaching Score:100
- Legitimate browser traffic being flagged as attacks
- Auto-blocking legitimate users

Root Cause #1: HTTP_SMUGGLING Detection
- Regex pattern \n matched literal letter 'n' in URLs
- ANY URL with 'n' triggered +22 point penalty
- /index.html, /contactus.aspx, /admin/login all false positives

Root Cause #2: SUSPICIOUS_UA Detection
- Pattern ^mozilla/[45]\.0 matched ALL modern browsers
- Every Chrome/Firefox/Safari user flagged as suspicious
- Added +15 points to every request
- Combined with 'suspicious' bot classification: +30 total

Impact:
Before fix:
  /contactus.aspx with Chrome = 52 points (3 false attack types)
  After 2-3 requests = Score:100 = auto-blocked

After fix:
  /contactus.aspx with Chrome = 0 points (correct)
  /contactus.aspx with curl = 15 points (correct - is suspicious)

Changes:
1. HTTP_SMUGGLING: Only check URL-encoded CRLF (%0d%0a)
   - Removed literal \r\n and \n patterns (match letters!)
   - Real attacks still detected correctly

2. SUSPICIOUS_UA: Only flag incomplete Mozilla UAs
   - Changed ^mozilla/[45]\.0 to ^mozilla/[45]\.0$
   - Now only matches bare 'Mozilla/5.0' without browser info
   - Real browsers with full UA strings are safe

Testing:
✓ /index.html with Chrome: 0 points (was 52)
✓ /contactus.aspx with Chrome: 0 points (was 52)
✓ /path%0d%0aHeader: Still detected (real attack)
✓ curl/wget UAs: Still detected (automation tools)
---
 lib/attack-patterns.sh | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh
index 388a62c..50b3403 100644
--- a/lib/attack-patterns.sh
+++ b/lib/attack-patterns.sh
@@ -262,7 +262,9 @@ detect_suspicious_ua() {
     fi
 
     # Generic/suspicious patterns
-    if [[ "$ua_lower" =~ ^(mozilla/[45]\.0|test|scanner|exploit|attack|shell) ]]; then
+    # Only flag Mozilla/X.0 if it's JUST that (no browser details after)
+    if [[ "$ua_lower" =~ ^mozilla/[45]\.0$ ]] ||
+       [[ "$ua_lower" =~ ^(test|scanner|exploit|attack|shell) ]]; then
         return 0
     fi
 
@@ -441,13 +443,14 @@ detect_http_smuggling() {
         return 0
     fi
 
-    # Suspicious chunked encoding patterns
-    if [[ "$url_lower" =~ (\r\n|\n|%0d%0a|%0a|\\r\\n|\\n) ]]; then
+    # Suspicious chunked encoding patterns (URL-encoded CRLF)
+    if [[ "$url_lower" =~ (%0d%0a|%0a%0d|%0d|%0a) ]]; then
         return 0
     fi
 
-    # CRLF injection attempts
-    if [[ "$url" =~ (%0d%0a|%0a%0d|%0d|%0a|\r\n|\n\r) ]]; then
+    # CRLF injection attempts (URL-encoded only, not literal newlines)
+    # Note: Literal \r\n in URLs would be encoded by browsers, so only check encoded forms
+    if [[ "$url" =~ (%0d%0a|%0a%0d|%0d|%0a) ]]; then
         return 0
     fi