Re: [mod-security-users] Large Payload processing time

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Joe, looks like you’re using the Default body processor on xml payloads which causes a lot of problems. Try setting it to XML based on the request_uri with ctl:requestBodyProcessor=XML

Regards,
Manuel
Sent from my iPhone

> On Jun 11, 2020, at 9:47 AM, Madden, Joe via mod-security-users <mod...@li...> wrote:
> 
> Hi all,
> 
> I've had to disable the following rules in order to get a payload to process in a resonable amount of time.
> 
> It a XML payload with up to 20Mb in size, These are the rules which cause the processing from from around 30 seconds to  772 seconds
> 
> 
>            # Disables checking for Windows command injection 
>            SecRuleRemoveById 932110
> 
>            #Removes unix command injection filtering
>            SecRuleRemoveById 932100
> 
>            #Removes unix command injection filtering 2
>            #SecRuleRemoveById 932105
> 
>            #removes unix remote code exceuction
>            #SecRuleRemoveById 932150
> 
>            #Disables Oracle WebLogic Remote Command Execution exploit
>            #SecRuleRemoveById 932115
> 
>            #Disables PHPIDS - Converted SQLI Filters - Not required
>            #SecRuleRemoveById 942230
> 
>            #Disables PHPIDS - Converted SQLI Filters - Not required
>            #SecRuleRemoveById 942190
> 
>            #Disables HTTP Response Splitting - Not Required
>            #SecRuleRemoveById 921120
> 
>            # Disables Sources for SQL ALTER statements
>            #SecRuleRemoveById 942360
> 
>            #Disables XSS Filters - Category 3 - Not required
>            #SecRuleRemoveById 941130
> 
>            #Disables XSS [NoScript InjectionChecker] Attributes injection - Not required
>            #SecRuleRemoveById 941170
> 
>            #Disables XSS vectors making use of event handlers like onerror, onload
>            #SecRuleRemoveById 941120
> 
> I'll have times by the end of the day which rules take the longest but for example - Does anyone have any recommendations about this? We'd like to leave the uinix RCE and command filters on at this is what our platform is.
> 
> Thanks
> 
> Joe.
> 
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/