Thank you for that.  We will go ahead and take care of that.  It makes perfect sense.   When testing out mod_security, we see in the logs that generic XSS attacks we are manually tested are being logged but not blocked.  How do we set it to block XSS attacks, and if possible, only XSS attacks?

On Wed, Nov 26, 2008 at 11:04 AM, Ryan Barnett <Ryan.Barnett@breach.com> wrote:

From: OSSEC junkie [mailto:ossec.junkie@gmail.com]
Sent: Wednesday, November 26, 2008 1:38 PM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] Rule Configuration Issue

 

We have lots of internally developed applications that we want to protect with mod_security however, legit strings that we use are being blocked by mod_security.  We are getting error messages in the logs saying: Response body too large (over limit of 524288, total not specified).. 

[Ryan Barnett] There are two main directives that control if/how you analyze Response Body payloads

         SecResponseBodyAccess (http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/modsecurity2-apache-reference.html#N108B7)

         SecResponseBodyLimit (http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/modsecurity2-apache-reference.html#N107F9)

 

In your setup, the response body size was greater than the default.  You can do one of the following

         Increase the SecResponseBodyLimit size, however from the error message it looks as though we don't know what the actual size of the data was.

         Set the SecResponseBodyLimitAction directive to ProcessPartial (http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/modsecurity2-apache-reference.html#N10825) as this will allow Mod to copy some response body data into the memory space to be analyzed for info leakages.

         Use the "ctl:responseBodyAccess=Off" action in a rule for the particular URLs that are triggering - http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/modsecurity2-apache-reference.html#N1164F

         Disable Response body inspection altogether with SecResponseBodyAccess Off.

 

Is there any way to do this: 

1.  Disable all web security configurations but..

2.  Enable only protection for cross-site scripting

 

Is that possible?  If so, how would I go about doing that??

[Ryan Barnett] Even if you are only interested in identifying/blocking XSS attacks, you will still need to address the Response Body size issue as they are conflicting with global directive settings and not by any specific attack rules.  Once you have addressed that issue, you can then simply take the XSS rule(s) from the existing modsecurity_crs_40_generic_attacks.conf file and copy/paste them into a new rules file (something like modsecurity_crs_15_customrules.conf) and then only call up it and the modsecurity_crs_10_config.conf files from the Apache httpd.conf file.