On 4/11/11 2:48 AM, "[email protected]" <[email protected]>
wrote:
>Hi Ryan,
>
>You are right that SecResponseBodyAccess invites for a debate.
I figured ;)
>
>In the discussion about the SecRuleEngine setting you took the hat of the
>business people who do not want the WAF to interfere with the legit
>traffic.
>However, this can happen here when you have large downloads on the
>website. A lot of corporate websites have a few presentations, pdf
>reports,
>way too large images or even a video or two. This is all slowed down very
>much and if you have a lot of these, then the whole
>webserver / reverse proxy can be affected. It gets a lot worse when you
>have a B2B application with legitimate queries, that return
>80MB responses... I have seen a surprisingly big number of these
>applications.
True, however don't forget about the SecResponseBodyMimeType directive -
SecResponseBodyMimeType text/plain text/html text/xml
This should restrict ModSecurity's response body inspect to only these 3
text-based content-types. This means that, if your app is setting proper
Content-Type response headers, ModSecurity will not inspect these large
media-type files (PDFs, videos, etc...)
>
>If you have some experience, then you know how to deal with this. But as
>this is the default setting, you need to think hard.
>
>I guess one can come to a reasonable compromise with SecResponseBodyLimit
>and SecResponseBodyLimitAction, but I worry
>if users will understand the level of protection they get: You would set
>the BodyAccess to on but then limit the effect afterwards.
We are trying to have the best middle-ground for the default config. If
you set Response Body monitoring to off, then you may miss some critical
errors/leakages. If you set it On, then there was a chance that you might
deny legitimate large pages. The latter is currently mitigated by the
combination of two other Recommended Base Config settings -
1) SecRuleEngine DetectionOnly - when this is set,
SecResponseBodyLimitAction is automatically set to ProcessPartial
2) SecResponseBodyLimitAction ProcessPartial
With these two settings in the base config, large response bodies will not
be blocked so we should do some inspection.
-Ryan
>
>Best,
>
>Christian
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>[email protected]
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>
This transmission may contain information that is privileged, confidential,
and/or exempt from disclosure under applicable law. If you are not the intended
recipient, you are hereby notified that any disclosure, copying, distribution,
or use of the information contained herein (including any reliance thereon) is
STRICTLY PROHIBITED. If you received this transmission in error, please
immediately contact the sender and destroy the material in its entirety,
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
