We noticed that the default value for WAF_READSTATELIMIT is changed from 10 to 100 in ASL 4. See the wiki page on https://www.atomicorp.com/wiki/index.ph ... STATELIMIT. Of course we are still running the latest ASL 3, which means that by default the WAF_READSTATELIMIT setting is set to 10.
We are encountering many incidents where we believe legit users are hitting this limit, and are shunned because of HIDS rule 31102 which monitors for this mod_security event.
What is the reason of changing the default limit from 10 to 100 in ASL 4? Is ASL 4 doing something special, or is the limit in ASL 3 just too low? Do you recommend to raise the default in ASL 3 too?
HIDS 31102 and default value for WAF_READSTATELIMIT
HIDS 31102 and default value for WAF_READSTATELIMIT
Lemonbit Internet Dedicated Server Management
- mikeshinn
- Atomicorp Staff - Site Admin
- Posts: 4149
- Joined: Thu Feb 07, 2008 7:49 pm
- Location: Chantilly, VA
Re: HIDS 31102 and default value for WAF_READSTATELIMIT
Yes, ASL4 does things differently and has other countermeasures for slow DOS attacks obviating the need for that control to be set in that manner.
Michael Shinn
Atomicorp - Security For Everyone
Atomicorp - Security For Everyone