Re: [mod-security-users] Large Payload processing time
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Large Payload processing time
|
From: Madden, J. <Joe...@mo...> - 2020-06-11 15:54:51
|
Processing time of each rules which take the longest with our payload:
932110 - All Enabled
Processing Time: 779
932100- Removes unix command injection filtering
Processing Time: 13
932105 - Removes unix command injection filtering 2
Processing Time: 14
932150- Removes remote code execution
Processing Time: 2
932115 - Oracle WebLogic Remote Command Execution exploit
Processing Time: 700
942230 - Disables PHPIDS - Converted SQLI Filters
Processing Time: 7
942190 - Disables PHPIDS - Converted SQLI Filters
Processing Time: 1 Seconds
921120 - Disables HTTP Response Splitting
Processing Time: 2
942360 - Disables Sources for SQL ALTER statements
Processing Time: 2
941130 - Disables XSS Filters - Category 3
Processing Time: 9
941170 - Disables XSS [NoScript InjectionChecker] Attributes injection
Processing Time: 7
941120 - Disables XSS vectors making use of event handlers like onerror, onload
Processing Time: 3 Seconds
Thanks,
Joe.
Joe Madden
Systems Engineer
D 01412224666
joe...@mo...
-----Original Message-----
From: Madden, Joe via mod-security-users <mod...@li...>
Sent: 11 June 2020 14:45
To: Madden, Joe via mod-security-users <mod...@li...>
Cc: Madden, Joe <Joe...@mo...>; mod...@ow...
Subject: [mod-security-users] Large Payload processing time
Hi all,
I've had to disable the following rules in order to get a payload to process in a resonable amount of time.
It a XML payload with up to 20Mb in size, These are the rules which cause the processing from from around 30 seconds to 772 seconds
# Disables checking for Windows command injection
SecRuleRemoveById 932110
#Removes unix command injection filtering
SecRuleRemoveById 932100
#Removes unix command injection filtering 2
#SecRuleRemoveById 932105
#removes unix remote code exceuction
#SecRuleRemoveById 932150
#Disables Oracle WebLogic Remote Command Execution exploit
#SecRuleRemoveById 932115
#Disables PHPIDS - Converted SQLI Filters - Not required
#SecRuleRemoveById 942230
#Disables PHPIDS - Converted SQLI Filters - Not required
#SecRuleRemoveById 942190
#Disables HTTP Response Splitting - Not Required
#SecRuleRemoveById 921120
# Disables Sources for SQL ALTER statements
#SecRuleRemoveById 942360
#Disables XSS Filters - Category 3 - Not required
#SecRuleRemoveById 941130
#Disables XSS [NoScript InjectionChecker] Attributes injection - Not required
#SecRuleRemoveById 941170
#Disables XSS vectors making use of event handlers like onerror, onload
#SecRuleRemoveById 941120
I'll have times by the end of the day which rules take the longest but for example - Does anyone have any recommendations about this? We'd like to leave the uinix RCE and command filters on at this is what our platform is.
Thanks
Joe.
_______________________________________________
mod-security-users mailing list
mod...@li...
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fmod-security-users&data=01%7C01%7Cjoe.madden%40mottmac.com%7C6934d6dee32b4637135c08d80e0dc659%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=sqnv7riFLHYDzTsLikXqVI%2F9BXk7CZHlpgF0XVcVuek%3D&reserved=0
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Frules%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7C6934d6dee32b4637135c08d80e0dc659%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=ilFS%2B%2F7W8rO3yPNKC2XuEO9cX%2FrWZtC2uR21KahDZpc%3D&reserved=0
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.modsecurity.org%2Fprojects%2Fcommercial%2Fsupport%2F&data=01%7C01%7Cjoe.madden%40mottmac.com%7C6934d6dee32b4637135c08d80e0dc659%7Ca2bed0c459574f73b0c2a811407590fb%7C0&sdata=6rwPrhFpR8gkpfPFdNLV6b099UgDzvcfNcwa5BQPs1I%3D&reserved=0
|
