HIDS 31102 and default value for WAF_READSTATELIMIT

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
Post Reply
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

HIDS 31102 and default value for WAF_READSTATELIMIT

Unread post by prupert »

We noticed that the default value for WAF_READSTATELIMIT is changed from 10 to 100 in ASL 4. See the wiki page on https://www.atomicorp.com/wiki/index.ph ... STATELIMIT. Of course we are still running the latest ASL 3, which means that by default the WAF_READSTATELIMIT setting is set to 10.

We are encountering many incidents where we believe legit users are hitting this limit, and are shunned because of HIDS rule 31102 which monitors for this mod_security event.

What is the reason of changing the default limit from 10 to 100 in ASL 4? Is ASL 4 doing something special, or is the limit in ASL 3 just too low? Do you recommend to raise the default in ASL 3 too?
Lemonbit Internet Dedicated Server Management
Top
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: HIDS 31102 and default value for WAF_READSTATELIMIT

Unread post by mikeshinn »

Yes, ASL4 does things differently and has other countermeasures for slow DOS attacks obviating the need for that control to be set in that manner.
Top
Post Reply

Return to “Atomic Protector (formerly ASL)”