Forum Discussion

babu_7813's avatar
babu_7813
Icon for Nimbostratus rankNimbostratus
May 19, 2014

Seeing continous "Request length exceeds defined buffer size" alert.

I am really wondering why F5 ASM trigger an alert " Request Length exceeds defined buffer size" for OWA traffic. As you said in your update, i have set 1000000 value in Click Application Security --> Web application --> my ASM policy name ->menu --> click options--> advanced configuration tab --> logn_request_buffer_size. Once done , i restarted the service, but still its alerting this violation continously.

When i did pcap for one client, i can see below details.

3 10 1400496645.2175 (0.0363) C>SV3.1(416) application_data --------------------------------------------------------------- RPC_IN_DATA /rpc/rpcproxy.dll?ITBOUTLOOK.domain.com:6002 HTTP/1.1^M Cache-Control: no-cache^M Connection: Keep-Alive^M Pragma: no-cache^M Accept: application/rpc^M Cookie: OutlookSession="{10DC4706-987B-4804-81F2-A02A7BC7A25F} Outlook=14.0.7108.5000 OS=6.1.7601"^M User-Agent: MSRPC^M Content-Length: 1073741824^M Host: mail.domain.com^M Authorization: XXXXXXXXXXXXX

---------------------------------------------------------------

4 12 1400496645.5906 (0.0159) S>CV3.1(278) application_data --------------------------------------------------------------- 48 54 54 50 2f 31 2e 31 20 32 30 30 20 53 75 63 HTTP/1.1 200 Suc 63 65 73 73 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 cess..Content-Ty 70 65 3a 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 pe:application/r 70 63 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 pc..Content-Leng 74 68 3a 31 30 37 33 37 34 31 38 32 34 0d 0a 53 th:1073741824..S 65 74 2d 43 6f 6f 6b 69 65 3a 20 54 53 62 36 39 et-Cookie: TSb69 38 31 39 3d 66 36 63 66 38 38 38 33 30 35 66 62 819=f6cf888305fb 39 39 65 36 37 63 61 66 34 66 34 32 31 65 63 37 99e67caf4f421ec7 31 64 37 63 39 37 37 35 33 32 64 35 33 31 39 65 1d7c977532d5319e 62 38 64 65 35 33 37 39 65 32 30 34 3b 20 50 61 b8de5379e204; Pa 74 68 3d 2f 3b 20 53 65 63 75 72 65 3b 20 48 54 th=/; Secure; HT 54 50 4f 6e 6c 79 0d 0a 0d 0a 05 00 14 03 10 00 TPOnly.......... 00 00 1c 00 00 00 00 00 00 00 00 00 01 00 02 00 ................ 00 00 c0 d4 01 00 05 00 14 03 10 00 00 00 2c 00 ..............,. 00 00 00 00 00 00 00 00 03 00 06 00 00 00 01 00 ................ 00 00 00 00 00 00 00 00 01 00 02 00 00 00 c0 d4 ................ 01 00 .. ---------------------------------------------------------------

Let me know how to fix this issue permanently. If i go to Application Security --> File types --> I can see attached entry, let me know whether this is causing this alert.

Regards Babu

APM
ASM Advanced WAF
deployment
security

2 Replies

Sort By
  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    May 19, 2014

    See http://support.f5.com/kb/en-us/solutions/public/14000/000/sol14034.html for more information.

     

    Basically your request (1073741824 based on the content length) was larger than the configured size of 10000000. The default is to block requests that exceed the buffer size. You can set EnableASMByPass to 1 to allow these requests through, but without ASM inspection.

     

    You can also disable the violation under Policy, Blocking, Settings and uncheck "Request length exceeds defined buffer size"

     

  • babu_7813's avatar
    babu_7813
    Icon for Nimbostratus rankNimbostratus
    May 25, 2014

    Hi,

     

    Actually, what i dont understand is that, end user is not sending any emails from his outlook client when this alert is triggered by ASM but when i run the PCAP in ASM device, i could see content legnth value as 1073741824). Need to understand why outlook is sending this value to my OWA service while in IDLE situation.

     

    If this is outlook issue, i am seeing such behaviour in multiple outlook clients. Let me know how to address it. Currently we have allowed this traffic as we fear that this could lead to service outage. If we know actual issue , we can block at ASM level.

     

    Kindly advise.

     

    Regards babu