AWS WAF can only inspect the first 8 KB (8,192 bytes) of the body of a request. Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits.
Since you want to inspect only first 8 KB and ignore remaining bytes of body, the best option would be to “continue” the requests where AWS WAF will inspect only those request component contents that are within the size limitations i.e. 8KB.
Below is an example to get a better understanding of the 3 Options in oversize handling:
Continue: AWS WAF inspects bytes 1 through 8,192 bytes of the body content for SQLI attack. The remaining 8,193 through 9000 byte content isn't inspected. Match: AWS WAF marks this request as containing an SQLi attack and takes the rule action (either ALLOW or BLOCK). Not match: AWS WAF marks this request as not containing an SQLi attack regardless of the request body content.
Now, the rule action might be set to “allow” or “block” depending upon your use case. For example, if you are inspecting the body for SQLi attacks and want to block all the requests, you would choose the action “BLOCK”.
If the rule's logic is to ALLOW requests, then setting the oversize handling to CONTINUE means the body would be inspected only up to 8192 bytes and even if anything suspicious is found, it would be allowed.
If the rule's logic is to BLOCK requests that have a body payload greater than 8192, then setting the oversize handling to CONTINUE means the body would be inspected only up to 8192 bytes and if anything suspicious is found, then it would be blocked.
In WAF classic, you can work with size constraint conditions to manage how the requests which are exceeding 8192 bytes would be handled. Please refer the below documentation. https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-size-conditions.html
waf didn't block requests if block condition matched for first timeasked 10 months ago
How to set custom Block response for managed rule sets in AWS WAF?asked 3 months ago
Oversize handling WAFAccepted Answerasked 4 months ago
How to set oversize handling WAFAccepted Answerasked 3 months ago
waf email alertsasked 20 days ago
Rest API access limit about WAF(through Cloudfront)asked 7 months ago
Custom response body for AWS bot controlasked 8 months ago
Regional API Gateway and WAFAccepted Answerasked 2 years ago
Few WAF Rules (Fortinet Rules) are blocking web requests whenever I save a pageasked 7 months ago
How does AWS WAF determine its rule groups?asked 4 months ago