Re: [Mod-security-developers] Request body processed when blocking in phase 1
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [Mod-security-developers] Request body processed when blocking in phase 1
|
From: Marc S. <mar...@ap...> - 2019-03-12 18:13:57
|
I reproduced this behaviour even in Windows with everything compiled together Marc On 11-03-19 14:22, Felipe Costa wrote: I have seemed the behavior that you have described in servers with APR version mismatch. Other than that, I did not manage to emulate such behavior. Br., Felipe "Zimmerle" Costa Security Researcher, Lead Developer ModSecurity m: +55 81.98706.5547 [signature_480191669] www.trustwave.com<http://www.trustwave.com/> Recognized by industry analysts as a leader in managed security services.<https://www.trustwave.com/company/about-us/accolades/> ________________________________ From: Marc Stern <mar...@ap...><mailto:mar...@ap...> Sent: Thursday, February 28, 2019 11:49 AM To: mod...@li...<mailto:mod...@li...> Subject: [Mod-security-developers] Request body processed when blocking in phase 1 I'm running v 2.9.3 built with --enable-request-early to have phase 1 rules running before receiving the body. If I sent a huge body, the request is well blocked in phase 1 but there's a huge processing time (10 min for 1.5 MB) on a strong machine after hook_insert_error_filter() Can somebody explain me what could happen and/or how to troubleshoot that. Isn't the phase 1 rule (with --enable-request-early) supposed to run before the request body is received by httpd? Here's the debug log (max level): [28/Feb/2019:14:27:50 +0100] [...][4] Ctl: Set requestBodyAccess to 0. [...] [28/Feb/2019:14:27:50 +0100] [...][4] Access denied with code 404 (phase 1). [...] [28/Feb/2019:14:27:50 +0100] [...][4] Hook insert_error_filter: Adding output filter (r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][9] Output filter: Receiving output (f 24802c82a38, r 248029de120). [28/Feb/2019:14:37:20 +0100] [...][4] Skipping phase 3 as request was already intercepted. error log: [Thu Feb 28 14:27:50.864432 2019] [core:trace5] [pid 6060:tid 2008] protocol.c(614): [client ...] Request received from client: POST /... HTTP/1.1 [Thu Feb 28 14:37:20.529622 2019] [headers:debug] [pid 6060:tid 2008] mod_headers.c(908): AH01503: headers: ap_headers_error_filter() Marc _______________________________________________ mod-security-developers mailing list mod...@li...<mailto:mod...@li...> https://scanmail.trustwave.com/?c=4062&d=kv333Abx-vXiIBZ1YneBxeM0MfaUkB_XCXnlDQQiBg&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2fmod-security-developers ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php |
