Ryan, You are right, that SecResponseBodyMimeType saves the day in a lot of the cases. But there are these huge html responses in business applications that bug me from time to time - actually the response looks a lot like a leakage.
Still, I think you are right and there is a safe ground for a reasonable default. Regs, Christian -----Ursprüngliche Nachricht----- Von: Ryan Barnett [mailto:[email protected]] Gesendet: Montag, 11. April 2011 15:58 An: Folini Christian, IT222 extern; [email protected]; [email protected] Betreff: Re: [Owasp-modsecurity-core-rule-set] A Recommended Base Configuration - SecResponseBodyAccess On 4/11/11 2:48 AM, "[email protected]" <[email protected]> wrote: >Hi Ryan, > >You are right that SecResponseBodyAccess invites for a debate. I figured ;) > >In the discussion about the SecRuleEngine setting you took the hat of the >business people who do not want the WAF to interfere with the legit >traffic. >However, this can happen here when you have large downloads on the >website. A lot of corporate websites have a few presentations, pdf >reports, >way too large images or even a video or two. This is all slowed down very >much and if you have a lot of these, then the whole >webserver / reverse proxy can be affected. It gets a lot worse when you >have a B2B application with legitimate queries, that return >80MB responses... I have seen a surprisingly big number of these >applications. True, however don't forget about the SecResponseBodyMimeType directive - SecResponseBodyMimeType text/plain text/html text/xml This should restrict ModSecurity's response body inspect to only these 3 text-based content-types. This means that, if your app is setting proper Content-Type response headers, ModSecurity will not inspect these large media-type files (PDFs, videos, etc...) > >If you have some experience, then you know how to deal with this. But as >this is the default setting, you need to think hard. > >I guess one can come to a reasonable compromise with SecResponseBodyLimit >and SecResponseBodyLimitAction, but I worry >if users will understand the level of protection they get: You would set >the BodyAccess to on but then limit the effect afterwards. We are trying to have the best middle-ground for the default config. If you set Response Body monitoring to off, then you may miss some critical errors/leakages. If you set it On, then there was a chance that you might deny legitimate large pages. The latter is currently mitigated by the combination of two other Recommended Base Config settings - 1) SecRuleEngine DetectionOnly - when this is set, SecResponseBodyLimitAction is automatically set to ProcessPartial 2) SecResponseBodyLimitAction ProcessPartial With these two settings in the base config, large response bodies will not be blocked so we should do some inspection. -Ryan > >Best, > >Christian >_______________________________________________ >Owasp-modsecurity-core-rule-set mailing list >[email protected] >https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
