Re: [mod-security-users] Large Payload processing time

[Madden, J. <Joe...@mo...>]

Hi Manuel,

I have this set – So I thought would have used the correct processor:

    SecRule REQUEST_HEADERS:Content-Type "text/xml" \
         "id:'200000',phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML"

Thanks,

Joe.
Joe Madden
Senior Systems Engineer
D 01412224666
joe...@mo...<mailto:joe...@mo...>

From: Manuel Spartan <spa...@gm...>
Sent: 13 June 2020 00:03
To: mod...@li...
Subject: Re: [mod-security-users] Large Payload processing time

Hi Joe, looks like you’re using the Default body processor on xml payloads which causes a lot of problems. Try setting it to XML based on the request_uri with ctl:requestBodyProcessor=XML
Regards,
Manuel
Sent from my iPhone


On Jun 11, 2020, at 9:47 AM, Madden, Joe via mod-security-users <mod...@li...<mailto:mod...@li...>> wrote:
Hi all,

I've had to disable the following rules in order to get a payload to process in a resonable amount of time.

It a XML payload with up to 20Mb in size, These are the rules which cause the processing from from around 30 seconds to  772 seconds


           # Disables checking for Windows command injection
           SecRuleRemoveById 932110

           #Removes unix command injection filtering
           SecRuleRemoveById 932100

           #Removes unix command injection filtering 2
           #SecRuleRemoveById 932105

           #removes unix remote code exceuction
           #SecRuleRemoveById 932150

           #Disables Oracle WebLogic Remote Command Execution exploit
           #SecRuleRemoveById 932115

           #Disables PHPIDS - Converted SQLI Filters - Not required
           #SecRuleRemoveById 942230

           #Disables PHPIDS - Converted SQLI Filters - Not required
           #SecRuleRemoveById 942190

           #Disables HTTP Response Splitting - Not Required
           #SecRuleRemoveById 921120

           # Disables Sources for SQL ALTER statements
           #SecRuleRemoveById 942360

           #Disables XSS Filters - Category 3 - Not required
           #SecRuleRemoveById 941130

           #Disables XSS [NoScript InjectionChecker] Attributes injection - Not required
           #SecRuleRemoveById 941170

           #Disables XSS vectors making use of event handlers like onerror, onload
           #SecRuleRemoveById 941120

I'll have times by the end of the day which rules take the longest but for example - Does anyone have any recommendations about this? We'd like to leave the uinix RCE and command filters on at this is what our platform is.

Thanks

Joe.

_______________________________________________
mod-security-users mailing list
mod...@li...<mailto:mod...@li...>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/