Hi there ASMers. We've run into what I hope is not a unique situation. We've had a rapid deployment policy running in transparent mode sitting in front of our PeopleSoft/PeopleTools instance, and we seem to be hitting a wall on one issue in particular. Every now and then, we flag a level 5 violation which ASM classifies as an "HTTP Parser Attack". The reasoning is that the URI length exceeds the global ASM default value of 2048. I'm loathe to increase the global limit just to satisfy this one virtual, as we're hosting over 500. Conventional wisdom seems to suggest that 2048 is a good limit, so I'm wondering - where do other people come in? Has anyone else had to change the global limit for this? We are running PeopleSoft pretty much straight out of the box, no customizations other than also running the Grey Heller app firewall.
For what it's worth, F5 has an RFE for raising this limit on a per-virtual basis, but as things stand now, it impacts all of ASM.
Generally keeping your URIs under 2000 characters is considered best practice, so 2048 should be fine. Having said that, RFC7230 says:
Various ad hoc limitations on request-line length are found in
practice. It is RECOMMENDED that all HTTP senders and recipients
support, at a minimum, request-line lengths of 8000 octets.
Given a standard 8 bit character in utf-8 encoding, that would be 1000 characters.
As a matter of course, if your site is requiring longer URIs and this is not in error, I would find out from the webmaster what the longest URI he would expect is and set the value to that. This is also a good opportunity to find out if this is in fact an error, and if so get it fixed.
Thanks Chris. They claim this is expected behavior, so I was hoping to hear from other folks in the trenches if this was really the case, or if anyone had ever hit this limit before. Just seemed odd, and I doubt we're the first people to deploy ASM in front of Peoplesoft.