From 632159493af3f5ad530fba9d90c02482fe8b0f9d Mon Sep 17 00:00:00 2001
From: cschantz <admin@server.local>
Date: Tue, 6 Jan 2026 17:28:35 -0500
Subject: [PATCH] Improve attack signature scoring for faster blocking
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Issues Fixed:
1. SUSPICIOUS_UA under-valued (+10 → +15)
   - Automation tools now block in 6 hits instead of 8
   - Matches severity of SQL injection and path traversal

2. BOT_FINGERPRINT under-valued (+8 → +15)
   - Headless browsers now properly scored as HIGH risk
   - Blocks in 6 hits instead of 10

3. Suspicious bot penalty increased (+10 → +15)
   - Consistent with new SUSPICIOUS_UA scoring
   - Faster blocking of malicious automation

4. Legit bot penalty exploit fixed
   - Score reduction (-5) now ONLY applies if NO attacks detected
   - Prevents spoofed Googlebot/legitimate UAs from avoiding blocks
   - Attack detection overrides bot classification

Impact:
Before:
- SUSPICIOUS_UA: 8 hits to auto-block (score 80)
- BOT_FINGERPRINT: 10 hits to auto-block
- Spoofed Googlebot with attacks: Could avoid blocking

After:
- SUSPICIOUS_UA: 6 hits to auto-block (score 90)
- BOT_FINGERPRINT: 6 hits to auto-block (score 90)
- Spoofed legitimate UAs: No penalty if attacks present
- Faster response to automation attacks

Real-World Example:
IP with python-requests UA making SQL injection attempts:
- Old: +10 (SUSPICIOUS_UA) +10 (suspicious bot) = 20 per hit
- New: +15 (SUSPICIOUS_UA) +15 (suspicious bot) = 30 per hit
- Result: Blocks in 3 hits instead of 4

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 lib/attack-patterns.sh                     |  4 ++--
 modules/security/live-attack-monitor-v2.sh | 11 +++++++----
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/lib/attack-patterns.sh b/lib/attack-patterns.sh
index 05000d8..388a62c 100644
--- a/lib/attack-patterns.sh
+++ b/lib/attack-patterns.sh
@@ -689,8 +689,8 @@ calculate_attack_score() {
     [[ "$attacks" =~ (^|,)NOSQL_INJECTION(,|$) ]] && score=$((score + 15))
     [[ "$attacks" =~ (^|,)TEMPLATE_INJECTION(,|$) ]] && score=$((score + 20))
     [[ "$attacks" =~ (^|,)ENCODING_BYPASS(,|$) ]] && score=$((score + 12))
-    [[ "$attacks" =~ (^|,)SUSPICIOUS_UA(,|$) ]] && score=$((score + 10))
-    [[ "$attacks" =~ (^|,)BOT_FINGERPRINT(,|$) ]] && score=$((score + 8))
+    [[ "$attacks" =~ (^|,)SUSPICIOUS_UA(,|$) ]] && score=$((score + 15))
+    [[ "$attacks" =~ (^|,)BOT_FINGERPRINT(,|$) ]] && score=$((score + 15))
     [[ "$attacks" =~ (^|,)ANONYMIZER(,|$) ]] && score=$((score + 15))
     [[ "$attacks" =~ (^|,)CREDENTIAL_STUFFING(,|$) ]] && score=$((score + 18))
     [[ "$attacks" =~ (^|,)API_ABUSE(,|$) ]] && score=$((score + 12))
diff --git a/modules/security/live-attack-monitor-v2.sh b/modules/security/live-attack-monitor-v2.sh
index 6b9f1a6..cb12c3b 100755
--- a/modules/security/live-attack-monitor-v2.sh
+++ b/modules/security/live-attack-monitor-v2.sh
@@ -450,13 +450,16 @@ update_ip_intelligence() {
     # Adjust score based on bot type
     case "$bot_type" in
         legit|ai|monitor)
-            # Legitimate bots - reduce score
-            score=$((score - 5))
-            [ "${score:-0}" -lt 0 ] && score=0
+            # Legitimate bots - reduce score ONLY if no attacks detected
+            # (prevents spoofed user agents from avoiding blocks)
+            if [ -z "$attacks" ]; then
+                score=$((score - 5))
+                [ "${score:-0}" -lt 0 ] && score=0
+            fi
             ;;
         suspicious)
             # Suspicious bots - increase score
-            score=$((score + 10))
+            score=$((score + 15))
             ;;
     esac