[mod-security-users] Large Payload processing time

[Madden, J. <Joe...@mo...>]

Hi all,

I've had to disable the following rules in order to get a payload to process in a resonable amount of time.

It a XML payload with up to 20Mb in size, These are the rules which cause the processing from from around 30 seconds to  772 seconds


            # Disables checking for Windows command injection 
            SecRuleRemoveById 932110

            #Removes unix command injection filtering
            SecRuleRemoveById 932100

            #Removes unix command injection filtering 2
            #SecRuleRemoveById 932105

            #removes unix remote code exceuction
            #SecRuleRemoveById 932150

            #Disables Oracle WebLogic Remote Command Execution exploit
            #SecRuleRemoveById 932115

            #Disables PHPIDS - Converted SQLI Filters - Not required
            #SecRuleRemoveById 942230

            #Disables PHPIDS - Converted SQLI Filters - Not required
            #SecRuleRemoveById 942190

            #Disables HTTP Response Splitting - Not Required
            #SecRuleRemoveById 921120

            # Disables Sources for SQL ALTER statements
            #SecRuleRemoveById 942360

            #Disables XSS Filters - Category 3 - Not required
            #SecRuleRemoveById 941130

            #Disables XSS [NoScript InjectionChecker] Attributes injection - Not required
            #SecRuleRemoveById 941170

            #Disables XSS vectors making use of event handlers like onerror, onload
            #SecRuleRemoveById 941120

I'll have times by the end of the day which rules take the longest but for example - Does anyone have any recommendations about this? We'd like to leave the uinix RCE and command filters on at this is what our platform is.

Thanks

Joe.