modsecurity issues with large post-request?

Hi List,

Currently having issues with large POST requests. Is there way to
disable modsecurity, if POST request size is over 1MB ?

br,
--
Eero

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: modsecurity issues with large post-request?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: modsecurity issues with large post-request?

2012/6/3 Josh Amishav-Zlatin <jamuse <at> gmail.com>:
> On Sun, Jun 3, 2012 at 2:00 PM, Eero Volotinen <eero.volotinen <at> iki.fi>
> wrote:
>>
>> Hi List,
>>
>> Currently having issues with large POST requests. Is there way to
>> disable modsecurity, if POST request size is over 1MB ?
>>
>
> Hi Eero,
>
> There are a number of ways you could disable ModSecurity for large POST
> requests, but then you may unnecessarily expose your application to attack.
> Are your large POST requests larger then your defined  SecRequestBodyLimit
> or SecRequestBodyNoFilesLimit limit?

Yes, POST request is larger than value and another issue is that my
POST data can be up to 30-50MB so,
so it's a bit slow to process in mod_security.

Can you still give instructions how to disable mod_security for POST
request larger than 1MB?

--
Eero

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: modsecurity issues with large post-request?

2012/6/3 Josh Amishav-Zlatin <jamuse <at> gmail.com>:
> On Sun, Jun 3, 2012 at 2:47 PM, Eero Volotinen <eero.volotinen <at> iki.fi>
> wrote:
>>
>>
>> Can you still give instructions how to disable mod_security for POST
>> request larger than 1MB?
>>
>
> Do you want to whitelist a specific IP/range who can send large POST
> requests (ideal) or completely bypass large POST requests?

I just want to disable completely large POST request processing.

--
Eero

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: modsecurity issues with large post-request?

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: modsecurity issues with large post-request?

> If the limit your hitting is from the CRS, then I suggest whitelisting the
> rule causing the issue (e.g. 960342). If the limit your hitting is due to
> your SecRequestBodyLimit setting and you are completely aware of the
> consequences of whitelisting all POST requests with a content-length field
> over 1MB, and raising the request body limit is not an option, you could use
> a rule like the following to disable the rules engine for those requests
> (ideally you would limit this to a specific URI / IP as well):
>
> SecRule REQUEST_HEADERS:Content-Length " <at> gt 131072"
> "phase:1,id:1,pass,chain, \
>   log,msg:'Completely disabled ModSecurity for this
> request',ctl:ruleEngine=Off"
>     SecRule REQUEST_METHOD POST

Thanks.

--
Eero

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Seeking Full-time ModSecurity Dev/Researcher

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Dynamic DAST/WAF Integration

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Mod Security XML Parsing

Hi,

The mod security handbook states that XML parsing is expensive (cpu and  
ram) but i was wondering if out of the three (validateSchema, validateDTD  
and XPATH checks) which one is least intensive or maybe it does not matter  
because we run the XML parser in all three cases?

In my test application, the client will always POST XML in the request  
body and i would like to validate and sanitize. At the moment i am using  
validateSchema and it works fine but
then maybe there is a more efficient way.

I was thinking maybe if i used XPATH expressions for checking the xml  
inputs instead of using validateDTD or validateSchema it might be less  
expensive?

Thanks,
Usman

--

-- 
Using Opera's revolutionary email client: http://www.opera.com/mail/

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

413 Request Entity Too Large for chunked encoded message

I use mod security to log requset body amongst other things.
This affects my production systems to any help is much appreciated.

A particular type of request is a POST of xml data with chunked encoding.
mod_security is rejecting about 20% of these POSTs with a '413 Request
Entity Too Large'

       SecAuditEngine On
       SecRuleEngine On
       SecRequestBodyLimit 132217728
       SecRequestBodyNoFilesLimit 132217728
       SecRequestBodyInMemoryLimit 132217728

I have set these limits to be incredibly high.
even with these I continue to get the 413 errors. I can be asolutely
certain that the POST request is less that 132M like I have
configured.

--58fded3e-A--
[09/Jun/2012:00:33:20 +0000] T9KZvwr-fhAAAGPsEZUAAACL 10.248.5.170
36263 10.255.126.16 80
--58fded3e-B--
POST /Y2ZhNjliMTM1YzVkY2MzOTZjMzZmMzg5ZDA1Yzg0N2E= HTTP/1.1
host: abc.com
Cache-Control: no-cache
Content-type: text/xml
User-Agent: egauge/pusher
X-Forwarded-For: 65.220.109.5
X-Forwarded-Port: 80
X-Forwarded-Proto: http
transfer-encoding: chunked
Connection: keep-alive

--58fded3e-F--
HTTP/1.1 413 Request Entity Too Large

--58fded3e-Z--

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/