cloud-hosting-platform/haproxy-manager-base
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

coraza: drop 913xxx scanner-UA from enforce list (FP on Mastodon + SiteLock)
All checks were successful
Build and push coraza-spoa / Build-and-Push (push) Successful in 40s
Details
HAProxy Manager Build and Push / Build-and-Push (push) Successful in 54s
Details

Browse Source 
25h whp01 burn-in (2026-05-13) found ~11% FP rate on rule 913100:
ActivityPub federation pulls (Mastodon UA "...Bot" on hackerpublicradio.org
and blog.anti-social.online) and SiteLockSpider scans (a customer-paid
security service hitting greggfranklin.com + suchascream.net). The other
six promoted rule families (930120, 932100-160, 933170-200, 944100-300,
920440, 930130) showed zero FPs across the same window and stay enforced.

Detection-only still feeds the anomaly score, so we lose ~no real
blocking value by demoting this family.
This commit is contained in:
Josh Knapp
2026-05-13 19:13:22 -07:00
parent 5e5234cb14
commit 753743de20
1 changed files with 7 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
coraza-spoa/overrides.conf
View File

@@ -13,14 +13,6 @@
# Per-customer false-positive tuning lives in a future per-customer
# override mechanism; v1 is server-wide.
# ---------------------------------------------------------------------------
# 913xxx — Scanner User-Agents
# (sqlmap, nikto, nmap-scripts, dirbuster, masscan, gobuster, ZAP, w3af, etc.)
# Legitimate browsers and apps never send these UAs. Pure recon/exploit
# tooling. Highest signal-to-noise rule family in CRS.
# ---------------------------------------------------------------------------
SecRuleUpdateActionById 913100-913199 "ctl:ruleEngine=On"
# ---------------------------------------------------------------------------
# 930120 — LFI: explicit traversal to sensitive system files
# (/etc/passwd, /proc/self/, /.ssh/, /etc/shadow, /etc/group, etc.)
@@ -88,6 +80,13 @@ SecRuleUpdateActionById 930130 "ctl:ruleEngine=On"
# Rule families intentionally kept at DETECT-ONLY for v1 — high FP rate
# on customer mix. Promote individually after observation:
#
# 913xxx (Scanner UAs)— matches legitimate ActivityPub federation
# (Mastodon's "...Bot" UA) and SiteLockSpider (a
# paid customer-security service some sites use).
# Observed on whp01 burn-in 2026-05-13:
# 20/185 hits = ~11% FP rate on HPR + greggfranklin
# + suchascream. Detection adds anomaly score
# either way; enforce upside is low.
# 941xxx (XSS) — Divi rich-text editor saves, TinyMCE submissions
# 942xxx (SQLi) — WP admin queries reflected in params
# 920xxx (other) — most 920xxx rules; 920440 specifically promoted above