Re: [mod-security-users] Odd behavior in mod_security2 when secruleengine=off
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Odd behavior in mod_security2 when secruleengine=off
|
From: Ryan B. <Rya...@br...> - 2009-02-19 20:55:10
|
The SecRuleEngine controls the disruptive action capability of SecRule entries. The error message you received was from the SecResponseBodyLimit directive setting. This is enforcing an upperlimit threshold on the size of the response body (also factorung in the Mime-Types). You should add in SecResponseBodlyLimitAction ProcessPartial if you don't want to block on this directive setting. It will instead only copy part of the data into memory for inspection. Ryan C. Barnett Director of Application Security Research Breach Security, Inc. Ryan.Barnett@Breach.com <blocked::mailto:Ryan.Barnett@Breach.com> www.Breach.com <http://www.breach.com/> ----- Original Message ----- From: Walt Williams <wal...@gm...> To: mod...@li... <mod...@li...> Sent: Thu Feb 19 15:22:32 2009 Subject: [mod-security-users] Odd behavior in mod_security2 when secruleengine=off Hi, We turned the SecRuleEngine on detect only for a apache directory. Recently, when a user was downloading a 7.5 MB file from that directory, we got the following apache error message: [Thu Feb 19 14:43:26 2009] [error] [client 151.204.233.75] ModSecurity: Output filter: Content-Length (20616730) over the limit (1572864). [hostname "host"] [uri "/jbosslogs/server.log"] [unique_id "wABsnn8AAAEAAHlBZSMAAAA5"] Why would modsecurity still be filtering on content length? This is how we turned off the SecRuleEngine in apache's httpd.conf: <Location "/jbosslogs"> SecRuleEngine DetectionOnly -- Walt Williams, CISSP, SSCP Ergo inimicus vobis factus sum, verum dicens vobis? ------------------------------------------------------------------------------ Open Source Business Conference (OSBC), March 24-25, 2009, San Francisco, CA -OSBC tackles the biggest issue in open source: Open Sourcing the Enterprise -Strategies to boost innovation and cut costs with open source participation -Receive a $600 discount off the registration fee with the source code: SFAD http://p.sf.net/sfu/XcvMzF8H _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Appliances, Rule Sets and Support: http://www.modsecurity.org/breach/index.html |