On 4/11/11 9:56 AM, "Klaubert Herr da Silveira" <[email protected]> wrote:
>Hi Ryan and Christian, > >We can't forget the wrongly defined mime type configured on backend, >that can put a extra load on ModSecurity (ie. .pdf defined as >text/plain). This can kill modsec "image". Really the >SecResponseBodyLimit and SecResponseBodyLimitAction can help very much >on this. Good point. When binary content is wrapped in text-based Content-Type response header it can cause problems. Hmm, maybe it would be worth testing another pre-qualifier check against the response_body with something like @validateByteRange to ensure that the body isn't binary before deciding to run rules against it. > >On the wiki, can be good to write how to disable the >SecResponseBodyAccess on static content, once that it is not subject >to processing (ie. .txt, .html files), on specific locations. We already have rulesets in the OWASP CRS to ignore static content - http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/optio nal_rules/modsecurity_crs_10_ignore_static.conf http://mod-security.svn.sourceforge.net/viewvc/mod-security/crs/trunk/optio nal_rules/modsecurity_crs_47_skip_outbound_checks.conf > >best regards, > >Klaubert > > > >On Mon, Apr 11, 2011 at 3:48 AM, <[email protected]> wrote: >> Hi Ryan, >> >> You are right that SecResponseBodyAccess invites for a debate. >> >> In the discussion about the SecRuleEngine setting you took the hat of >>the business people who do not want the WAF to interfere with the legit >>traffic. >> However, this can happen here when you have large downloads on the >>website. A lot of corporate websites have a few presentations, pdf >>reports, >> way too large images or even a video or two. This is all slowed down >>very much and if you have a lot of these, then the whole >> webserver / reverse proxy can be affected. It gets a lot worse when you >>have a B2B application with legitimate queries, that return >> 80MB responses... I have seen a surprisingly big number of these >>applications. >> >> If you have some experience, then you know how to deal with this. But >>as this is the default setting, you need to think hard. >> >> I guess one can come to a reasonable compromise with >>SecResponseBodyLimit and SecResponseBodyLimitAction, but I worry >> if users will understand the level of protection they get: You would >>set the BodyAccess to on but then limit the effect afterwards. >> >> Best, >> >> Christian >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> [email protected] >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
