ASM - file type length on certain urls

Hi Boneyard,

 

 

You can configure the specific parameter on the URL object that clients use to upload the file and set a max size that is less than the total request size configured for the filetype.

 

 

I hope this is clear, but if not let me know and I'll try to attach some sample config screenshots.

 

 

Aaron

yeah some screenshot would be nice, currently i have just configured aspx to allow POST requests of like 4mb, but i would only to have to happen for /url/url2/url3/upload.apx and not all aspx files.

i found the method to do this with url parameters, but that is not really what im looking for. there are request and POST data length restrictions on the file type which i want to lift on a file by file basis. this is also the safest in my opinion, allow little in general and make exceptions where needed.

 

 

had some time to try this in a test environment. changed from aspx to php, but the idea stays the same. i can configure a limit on POST data per file type, so php. but i can't configure it specifically for a certain php file / url, or is there a way to do this?

 

 

Sorry if this response might sound total "rookie" lol, but are you using dynamic file sizes?

 

 

I'm assuming you are. I think it's going to be hard to filter on the file size. I mean if you have a dynamic file size and your worried about the content of the file being malicious you're really going to have to look at the file and not the size in an environment with dynamic events. And here lies the boundry from known to APT right?

 

 

Maybe there's an iRule that can be create. What I mean by this is you can compare the file size from previous to current and justify an amount of change?

 

 

If your starting out with a blank form, and then there's something that's going to be filled in...well there's only so much that can be entered into a form (i.e. name, address, phone number etc.)

 

 

So, i'm not too sure if it's the size that matters? lol =)

 

but, more like: who, what, where, when of the file and then go from there. I mean you might be able to do specific form flows for certain files. that would be one way to completely negate the need for size checking since your tightening the traffic to a known path.

 

 

cheers!

lastly - never forget that good security typically comes in layers =)

 

 

maybe your just trying to get the device to do something that should really be handled somewhere else...

 

Sorry, I lost this thread in the shuffle. Basically, you can't surpass the total request size limit of a filetype for specific URLs or parameter values. What I was trying to show is that you can set a limit on the file upload to one URL that is lower than for a different URL of the same filetype.

 

 

Aaron