Re: [mod-security-users] What are the optimal PCRE limits?
Brought to you by:
victorhora,
zimmerletw
From: Moody, D. (dam8u) <da...@es...> - 2010-05-13 20:25:18
|
Anyone: How do you unsubscribe from this list? There are no instructions in the list emails and sending an "unsubscribe" email does not work. Thanks, David On May 13, 2010, at 3:27 PM, Sergio wrote: Thank you Brian. I will lower the value to 50,000 just as a starting point and see how many PCRE errors I got, right now with the 150,000 limit I don't see any performance issue as my server has a lot of memory and with two Quad processors, may be that is why I haven't seen any degradation at all. Best Regards, Sergio Cabrera On Thu, May 13, 2010 at 10:27 AM, Brian Rectanus <Bri...@br...<mailto:Bri...@br...>> wrote: On 05/12/2010 10:16 PM, Sergio wrote: > Hi all, > I have just installed 2.5.12 in my server and found that I needed to add > the following commands to my modsec2.user.conf file: > > �SecPcreMatchLimit 150000 > �SecPcreMatchLimitRecursion 150000 > > I have set an initial 150000, but found sporadic errors like: "Rule > execution error - PCRE limits exceeded (-8): (null)." > > So, What is the best or recommended value to use? or,� Does this has to > be the same as value of the SecResponseBodyLimit 2621440 that I am using? There are no real recommended values. Your 150,000 value I would consider too high (libpcre defaults to 5,000,000 in previous versions of modsec and this was WAY too high). I'd keep it under 50,000. The errors you are getting are probably from the phpids rules. Try disabling (not loading) them. When I do this, usually a limit value of 5,000-8,000 will work fine. The point here is that you can raise the value, but when you do, then it is possible that you have an issue with REDoS meaning if you have some not-so-good regexes like some in our version of the phpids regexes (note that this is our fault in the translation of them as PHPIDS uses them in a more controlled manner), then you end up with lots of recursion that could destry performance. Lower the number and you may get occasional errors for limits exceeded, but your performance is better. You just need to balance this by what rules you use and what limits you set. -B -- Brian Rectanus Breach Security <ATT00001..txt><ATT00002..txt> |