Re: Why is IPS blocking some clients




Sebastian Gottschalk wrote:
Tom wrote:

Most likely it's because the POST message is very big and regular. The
encoding as multipart/form-data might add up to the indications as well.

The test form is tiny -- the returned POST is only about 2kB.

Try to measure the size in number of fields. And become aware that these
are quite many fields for a simple form.

It only has 24 fields, corresponding to a form that would have hours
1-24. Even a single-field form caused problems when the user submitted
enough text in the field to require 2 or more network packets to send.


Did you try it?

No, I'm not running such bullshit. My job usually only consists of giving
good examples why they're nonsense and uninstalling them.

Fortunately (I think) the problem is only seen by users that are on the
other side of an IPS (of certain models perhaps). I need to know what
it is about the form (or my site) that is causing the problem with
these IPS's, and I too do not run one to know.

Anyone else that has an IPS, if you can try the site and let me know
what error you may receive from your IPS/IDS log would be greatly
appreciated.

(Test form remains at http://www.sygration.com/cgi-bin/banana64 )

Let me know if there is another service or forum better suited for my
request.

Thanks, Tom

.