Problem:
- Normal URLs like /contactus.aspx reaching Score:100
- Legitimate browser traffic being flagged as attacks
- Auto-blocking legitimate users
Root Cause #1: HTTP_SMUGGLING Detection
- Regex pattern \n matched literal letter 'n' in URLs
- ANY URL with 'n' triggered +22 point penalty
- /index.html, /contactus.aspx, /admin/login all false positives
Root Cause #2: SUSPICIOUS_UA Detection
- Pattern ^mozilla/[45]\.0 matched ALL modern browsers
- Every Chrome/Firefox/Safari user flagged as suspicious
- Added +15 points to every request
- Combined with 'suspicious' bot classification: +30 total
Impact:
Before fix:
/contactus.aspx with Chrome = 52 points (3 false attack types)
After 2-3 requests = Score:100 = auto-blocked
After fix:
/contactus.aspx with Chrome = 0 points (correct)
/contactus.aspx with curl = 15 points (correct - is suspicious)
Changes:
1. HTTP_SMUGGLING: Only check URL-encoded CRLF (%0d%0a)
- Removed literal \r\n and \n patterns (match letters!)
- Real attacks still detected correctly
2. SUSPICIOUS_UA: Only flag incomplete Mozilla UAs
- Changed ^mozilla/[45]\.0 to ^mozilla/[45]\.0$
- Now only matches bare 'Mozilla/5.0' without browser info
- Real browsers with full UA strings are safe
Testing:
✓ /index.html with Chrome: 0 points (was 52)
✓ /contactus.aspx with Chrome: 0 points (was 52)
✓ /path%0d%0aHeader: Still detected (real attack)
✓ curl/wget UAs: Still detected (automation tools)
cschantz
02a42a98cb