Skip to main content

ModSecurity SecResponseBodyLimit & SecResponseBodyLimitAction

Comments

5 comments

  • cPWilliamL
    That's a good question, and it's likely to vary widely on which applications your clients use. I found some interesting articles about the average page size, which doesn't fully correlate to response body size but may be a decent gauge: SpeedCurve | The average web page is 3MB. How much should we care? The Growth of Web Page Size - KeyCDN Support The command below can also be used to determine the average response size from your domlogs(this can be I/O intensive, consider nice/ionice on sytems with a large amount of domains): # find /var/log/apache2/domlogs/ -maxdepth 1 -type f \! \( -name \*-bytes_log -o -name \*-ftp_log.offsetftpbytes \) -size +0 -exec cat '{}' \;|awk '$NF>=10 && $10 ~ /[0-9]/{sum+=$10;n++}END{if (n>0) print sum/n}'
    I'm not sure if there is a direct security concern with the setting; rather, it better addresses resource issues, particularly bandwidth or perhaps preventing Apache slots from being held longer than they should by spewing lots of data. Disregarding streaming sites/applications, a web server is typically not for distributing large data; S/FTP is better suited for that.
    0
  • osirion
    Thanks for that, I did run the command on my servers and it returned 68606.2 and 22135.7 respectively; so I suppose 512kb then is more than sufficient 'on average'. However, I then tried to see a problem domain thats 'hitting' the above mentioned rule by tweaking the command like so: find /var/log/apache2/domlogs/ -maxdepth 1 -type f \! \( -name thedomain.co.za-bytes_log -o -name thedomain.co.za-ftp_log.offsetftpbytes \) -size +0 -exec cat '{}' \;|awk '$NF>=10 && $10 ~ /[0-9]/{sum+=$10;n++}END{if (n>0) print sum/n}'
    And it only returned "22201.4" which then it should be fine? Am I doing it wrong or misunderstanding the result?
    0
  • cPanelMichael
    And it only returned "22201.4" which then it should be fine? Am I doing it wrong or misunderstanding the result?

    It returns the average response time, but that doesn't mean some requests don't come in higher than average and thus are blocked. Thank you.
    0
  • jmginer
    We have also some wordpress websites hitting: /usr/local/apache/logs/error_log ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified).
    0
  • cPanelMichael
    We have also some wordpress websites hitting: /usr/local/apache/logs/error_log ModSecurity: Output filter: Response body too large (over limit of 524288, total not specified).

    Hi @jmginer, Are you using the OWASP rule set? If so, you may find the discussion on the following thread helpful: It references some exclusion options for WordPress you may want to implement. Thank you.
    0

Please sign in to leave a comment.