On Mar 30, 2013, at 11:01 AM, "Reindl Harald" <h.reindl@thelounge.net> wrote:

Am 30.03.2013 15:44, schrieb Ryan Barnett:
On Mar 30, 2013, at 10:37 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
has somebody a rule to limit the length of get-values to the
same 512 like suhosin to kiss this stupid bingbot goodbye
with a 400/403 instead a 200 status-code?

Mar 30 13:22:56 [8257] ALERT - configured GET variable value length limit exceeded - dropped variable 'pal_term'
(attacker '', file '*******/index.php')

** snip **

SecRules ARGS_GET "@gt 512" "t:length"


FYI - the OWASP CRS has rules for this here - 


[Sat Mar 30 15:52:47.917028 2013] [:error] [pid 6895] [client] ModSecurity: Access denied with code 400
(phase 1). Operator GT matched 500 at ARGS_GET:term. [file
"/etc/httpd/modsecurity.d/modsecurity_99_local_rules.conf"] [line "199"] [id "117"] [msg "argument exceeds 500
chars"] [hostname "www.rhsoft.net"] [uri "/show_content.php"] [unique_id "UVb8P8CoAgIAABrv5@AAAAAC"]

# 30.03.2013
SecRule ARGS_GET "@gt 500" "t:length,id:'117',capture,phase:1,block,msg:'argument exceeds 500 chars'"

Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.