Forum Discussion
mwitt_65218
Nimbostratus
Nimbostratustruncation/request length exceeds defined buffer size
Greetings,
I was wondering if anybody might have any thoughts about something.
The policy for a web app is in blocking mode, but the BLOCK box for Request Length Exceeds Defined Buffer Size is not checked.
A user has uploaded successfully some zipped files, but he says that they are corrupted or something. Since the BLOCK box is not checked, the user of course did not get an F5 Block Page.
I see in the Report section the line with a red X for Illegal and also the symbol for Truncated. The requested object is [HTTP] /bd/DeliveryCreateQuickAction.do
and the Request Violation is Request Length Exceeds Defined Buffer Size with Learn YES, Alarm YES, and Block NO.
Does the Truncated symbol mean that the files were truncated even though the Block box is not checked? Or does the Truncated symbol mean that IF THE BLOCK BOX WERE CHECKED, then the file WOULD BE truncated?
I would be much appreciative if anybody has any ideas or thoughts on the issue. I hope that my question makes sense.
Thanks,
mwitt
POST /bd/DeliveryCreateQuickAction.do HTTP/1.1
Host: secure.stinsonmorrison.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: https://secure.stinson.com/bds/DeliveryCreateQuick.do?method=getCreateSetup
Cookie: JSESSIONID=4455CF20CDD3D0C2B8C7E33326E5DFA1; TS6c4f0d=9e067674eb4c694df84b21eb15dbb0815b0bff9b0d3ad3794a981cec; TS2626bc=9e067674eb4c694df84b21eb15dbb0815b0bff9b0d3ad3794a981cec
Content-Type: multipart/form-data; boundary=---------------------------168072824752491622650073
Content-Length: 19845704
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="method"
createQuick
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="js"
n
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="encoded1"
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="encoded2"
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="trackingNumber"
A03309926
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="deliveryLink"
https://secure.stinsonmorrison.com/bd/Login.do?id=A03309926&p1=601
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="senderInfo"
John Benson (john@theman-benson.com)
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="fromAddress"
John Benson [john@theman-benson.com]
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="org.apache.struts.taglib.html.TOKEN"
d312d984a95ab92ea7c11d61ae7fead0
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="permanentMessage"
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="recipientsTo"
kgdavid@stinsonmorrison.com
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="recipientsCc"
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="recipientsBcc"
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="name"
big file from external
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="secureMessage"
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="message"
You have received a package via file transfer.
-----------------------------168072824752491622650073
Content-Disposition: form-data; name="filename0"; filename="Archive.zip"
Content-Type: application/zip
hoolioCirrostratus
Hi,
As far as I'm aware, ASM should never modify the request payload. I believe the truncated flag just indicates that ASM did not log the full request as it was larger than some configured limit. If you put the policy in blocking mode and the request triggers a violation with blocking enabled, ASM would take the blocking action.
I think the default max request size is set to 10Mib per the long_request_buffer_size internal parameter (set under 'Application Security | Options | Advanced Configuration'. You could extend this max size or disable the check entirely by modifying the blocking mask and disabling blocking on the Request Length Exceeds Defined Buffer Size check.
Aaron
mwitt_65218I thank you very much, Aaron! I appreciate your feedback. I did not think that F5 was truncating the file, but I just thought I'd ask. We do not have the BLOCK box checked, so the user did not get a blocking page. The user says though that the file is corrupted or something AFTER he has uploaded and was thinking that F5 has something to do with it. This user is in IT and knows that this web app is protected in F5, so he came to me and the Director of Network Security to ask if F5 was truncating or corrupting somehow the file. I noticed the Truncated symbol but did not know for sure if it meant that truncation had occurred.
Thanks again very much, Aaron.