Re: [mod-security-users] SecPcreMatchLimit , SecPcreMatchLimitRecursion and CPU usage[ScanMail Noti
Brought to you by:
victorhora,
zimmerletw
From: Brian R. <bre...@gm...> - 2010-10-20 17:44:49
|
It means that the match attempt was aborted as it was taking too many resources. It is not harmful per se, but does mean that an attack crafted to only match well into the recursion may bypass detection. Most of these issues are caused by the PHPIDS rules. You may want to just disable these and then keep the default settings for the limits. -B On Wed, Oct 20, 2010 at 2:54 AM, <ja...@je...> wrote: > No on can help? > > At least i want to know if the error PCRE limits exceeded (-8): (null) is > harmful besides increase my error log size? > > Many thx!!!!! > > Jay > > > > ja...@je.... > hk > To > 10/19/2010 01:33 mod...@li...urceforg > PM e.net > cc > > Subject > [mod-security-users] > SecPcreMatchLimit , > SecPcreMatchLimitRecursion and CPU > usage[ScanMail Notification] <<Your > mail is fully scanned.>> > > > > > > > > > > > > Hi all, > > I have google the relationship between CPU and SecPcreMatchLimit > /SecPcreMatchLimitRecursion. > > I know that the when i lower the number of SecPcreMatchLimit > /SecPcreMatchLimitRecursion and i may get occasional > errors for limits exceeded (PCRE limits exceeded (-8): (null)), but the > performance is better. > > However, for my case, when i use defult setting: > > SecPcreMatchLimit 1000 > SecPcreMatchLimitRecursion 1000 > > The performance is good but there are lots of PCRE limits exceeded error > flow. > > When i set the limit to 150000 (refer to some posts in google), the errors > gone but the performance is bad. > > Then i try to find out the optimal limit, i try 10000, 50000....but the > performance is even worst than 150000, i cant believe it... > > i am thinking if i should set the limit to 5000 and just ignore the errors > flow? (cause the performance is good) > Or there is another setting i have to configure? > > Please advice~~~ > Many thanks!!! > > Jay > This e-mail is intended solely for the addressee. If you have received > this e-mail in error, please notify the sender by reply e-mail and > immediately delete it from your system. > > > ------------------------------------------------------------------------------ > > Download new Adobe(R) Flash(R) Builder(TM) 4 > The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly > Flex(R) Builder(TM)) enable the development of rich applications that run > across multiple browsers and platforms. Download your free trials today! > http://p.sf.net/sfu/adobe-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > > > This e-mail is intended solely for the addressee. If you have received > this e-mail in error, please notify the sender by reply e-mail and > immediately delete it from your system. > > > ------------------------------------------------------------------------------ > Download new Adobe(R) Flash(R) Builder(TM) 4 > The new Adobe(R) Flex(R) 4 and Flash(R) Builder(TM) 4 (formerly > Flex(R) Builder(TM)) enable the development of rich applications that run > across multiple browsers and platforms. Download your free trials today! > http://p.sf.net/sfu/adobe-dev2dev > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Appliances, Rule Sets and Support: > http://www.modsecurity.org/breach/index.html > |