We have lots of internally developed applications that we want to protect with mod_security however, legit strings that we use are being blocked by mod_security. We are getting error messages in the logs saying: Response body too large (over limit of 524288, total not specified)..
[Ryan Barnett] There are two main directives that control if/how you analyze Response Body payloads –
In your setup, the response body size was greater than the default. You can do one of the following –
· Increase the SecResponseBodyLimit size, however from the error message it looks as though we don’t know what the actual size of the data was.
· Set the SecResponseBodyLimitAction directive to ProcessPartial (http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/modsecurity2-apache-reference.html#N10825) as this will allow Mod to copy some response body data into the memory space to be analyzed for info leakages.
· Use the “ctl:responseBodyAccess=Off” action in a rule for the particular URLs that are triggering - http://www.modsecurity.org/documentation/modsecurity-apache/2.5.7/modsecurity2-apache-reference.html#N1164F
· Disable Response body inspection altogether with SecResponseBodyAccess Off.
Is there any way to do this:
1. Disable all web security configurations but..
2. Enable only protection for cross-site scripting
Is that possible? If so, how would I go about doing that??
[Ryan Barnett] Even if you are only interested in identifying/blocking XSS attacks, you will still need to address the Response Body size issue as they are conflicting with global directive settings and not by any specific attack rules. Once you have addressed that issue, you can then simply take the XSS rule(s) from the existing modsecurity_crs_40_generic_attacks.conf file and copy/paste them into a new rules file (something like modsecurity_crs_15_customrules.conf) and then only call up it and the modsecurity_crs_10_config.conf files from the Apache httpd.conf file.