From 753743de200f1777d8bc9f7ef763a8b605403c30 Mon Sep 17 00:00:00 2001
From: Josh Knapp <jknapp85@gmail.com>
Date: Wed, 13 May 2026 19:13:22 -0700
Subject: [PATCH] coraza: drop 913xxx scanner-UA from enforce list (FP on
 Mastodon + SiteLock)

25h whp01 burn-in (2026-05-13) found ~11% FP rate on rule 913100:
ActivityPub federation pulls (Mastodon UA "...Bot" on hackerpublicradio.org
and blog.anti-social.online) and SiteLockSpider scans (a customer-paid
security service hitting greggfranklin.com + suchascream.net). The other
six promoted rule families (930120, 932100-160, 933170-200, 944100-300,
920440, 930130) showed zero FPs across the same window and stay enforced.

Detection-only still feeds the anomaly score, so we lose ~no real
blocking value by demoting this family.
---
 coraza-spoa/overrides.conf | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/coraza-spoa/overrides.conf b/coraza-spoa/overrides.conf
index f278298..62aeca4 100644
--- a/coraza-spoa/overrides.conf
+++ b/coraza-spoa/overrides.conf
@@ -13,14 +13,6 @@
 # Per-customer false-positive tuning lives in a future per-customer
 # override mechanism; v1 is server-wide.
 
-# ---------------------------------------------------------------------------
-# 913xxx — Scanner User-Agents
-# (sqlmap, nikto, nmap-scripts, dirbuster, masscan, gobuster, ZAP, w3af, etc.)
-# Legitimate browsers and apps never send these UAs. Pure recon/exploit
-# tooling. Highest signal-to-noise rule family in CRS.
-# ---------------------------------------------------------------------------
-SecRuleUpdateActionById 913100-913199 "ctl:ruleEngine=On"
-
 # ---------------------------------------------------------------------------
 # 930120 — LFI: explicit traversal to sensitive system files
 # (/etc/passwd, /proc/self/, /.ssh/, /etc/shadow, /etc/group, etc.)
@@ -88,6 +80,13 @@ SecRuleUpdateActionById 930130 "ctl:ruleEngine=On"
 # Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate
 # on customer mix. Promote individually after observation:
 #
+#   913xxx (Scanner UAs)— matches legitimate ActivityPub federation
+#                         (Mastodon's "...Bot" UA) and SiteLockSpider (a
+#                         paid customer-security service some sites use).
+#                         Observed on whp01 burn-in 2026-05-13:
+#                         20/185 hits = ~11% FP rate on HPR + greggfranklin
+#                         + suchascream. Detection adds anomaly score
+#                         either way; enforce upside is low.
 #   941xxx (XSS)        — Divi rich-text editor saves, TinyMCE submissions
 #   942xxx (SQLi)       — WP admin queries reflected in params
 #   920xxx (other)      — most 920xxx rules; 920440 specifically promoted above