How to configure modsecurity to log response which is greater than configured SecResponseBodyLimit?

Question

Modsecurity is a great tool to find data leakage issues in the response body. For my current project, I want to detect data leakage issues with a configured response body size set via SecResponseBodyLimit and the action for response body greater than this limit set to ProcessPartial.

This works as expected however, I would like to log response which is greater than the set limit. Is there any way to do it?

score 0 · Accepted Answer · answered Dec 14 '18 at 03:46

ModSecurity sets a variable named OUTBOUND_DATA_ERROR to 1 whenever the response size is above the setting configured in SecResponseBodyLimit. Thus a simple rule that checks this variable can be used to achieve the requirement. Example:

SecRule OUTBOUND_DATA_ERROR "@eq 1" "id:124,phase:4,t:none,log,msg:'DATA_OVERFLOW'"

ModSecurity documentation reference

How to configure modsecurity to log response which is greater than configured SecResponseBodyLimit?

1 Answers1