Seeing continous "Request length exceeds defined buffer size" alert.
I am really wondering why F5 ASM trigger an alert " Request Length exceeds defined buffer size" for OWA traffic. As you said in your update, i have set 1000000 value in Click Application Security --> Web application --> my ASM policy name ->menu --> click options--> advanced configuration tab --> logn_request_buffer_size. Once done , i restarted the service, but still its alerting this violation continously.
When i did pcap for one client, i can see below details.
3 10 1400496645.2175 (0.0363) C>SV3.1(416) application_data --------------------------------------------------------------- RPC_IN_DATA /rpc/rpcproxy.dll?ITBOUTLOOK.domain.com:6002 HTTP/1.1^M Cache-Control: no-cache^M Connection: Keep-Alive^M Pragma: no-cache^M Accept: application/rpc^M Cookie: OutlookSession="{10DC4706-987B-4804-81F2-A02A7BC7A25F} Outlook=14.0.7108.5000 OS=6.1.7601"^M User-Agent: MSRPC^M Content-Length: 1073741824^M Host: mail.domain.com^M Authorization: XXXXXXXXXXXXX
---------------------------------------------------------------
4 12 1400496645.5906 (0.0159) S>CV3.1(278) application_data --------------------------------------------------------------- 48 54 54 50 2f 31 2e 31 20 32 30 30 20 53 75 63 HTTP/1.1 200 Suc 63 65 73 73 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 cess..Content-Ty 70 65 3a 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 pe:application/r 70 63 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 pc..Content-Leng 74 68 3a 31 30 37 33 37 34 31 38 32 34 0d 0a 53 th:1073741824..S 65 74 2d 43 6f 6f 6b 69 65 3a 20 54 53 62 36 39 et-Cookie: TSb69 38 31 39 3d 66 36 63 66 38 38 38 33 30 35 66 62 819=f6cf888305fb 39 39 65 36 37 63 61 66 34 66 34 32 31 65 63 37 99e67caf4f421ec7 31 64 37 63 39 37 37 35 33 32 64 35 33 31 39 65 1d7c977532d5319e 62 38 64 65 35 33 37 39 65 32 30 34 3b 20 50 61 b8de5379e204; Pa 74 68 3d 2f 3b 20 53 65 63 75 72 65 3b 20 48 54 th=/; Secure; HT 54 50 4f 6e 6c 79 0d 0a 0d 0a 05 00 14 03 10 00 TPOnly.......... 00 00 1c 00 00 00 00 00 00 00 00 00 01 00 02 00 ................ 00 00 c0 d4 01 00 05 00 14 03 10 00 00 00 2c 00 ..............,. 00 00 00 00 00 00 00 00 03 00 06 00 00 00 01 00 ................ 00 00 00 00 00 00 00 00 01 00 02 00 00 00 c0 d4 ................ 01 00 .. ---------------------------------------------------------------
Let me know how to fix this issue permanently. If i go to Application Security --> File types --> I can see attached entry, let me know whether this is causing this alert.
Regards Babu