Thread: [mod-security-users] PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
From: <AF...@ex...> - 2010-03-25 14:53:51
|
Hi All - I'm running mod_security 2.5.12 with the CRS 2.0.6 in my test environment (my production environment still has 1.x CRS). I'm having issues with a home grown application built upon Apache MyFaces 1.x that produces a rediculous amount of post parameters and the size of these parameters is massive. These applications often generate "PCRE limits exceeded" in my audit logs. Can this be due to the size and number of parameters? I've upped SecPcreMatchLimit and SecPcreMatchLimitRecursion, but it still occurs (Currently at 5000). What was the old limit prior to 2.5.12? Thanks, Al |
From: Art A. S. <art...@gm...> - 2011-08-02 16:57:51
|
I'm running into this on a fresh install of mod_security 2.5.12 with crs_2.2.1 on CentOS 6. For every page request, I get **two** occurrences in the error logs of this message: ModSecurity: Rule execution error - PCRE limits exceeded (-8): (null) I have been able to eliminate the error by setting: SecPcreMatchLimit 8000 However, this seems like an awfully high setting, given the default of 1500. Is this expected behavior, or should I be concerned? And when the error occurs, does this indicate that mod-security has halted rule processing for the request (i.e. dropped protection)? Thanks. |
From: Ryan B. <RBa...@tr...> - 2011-08-02 18:18:58
|
On 8/2/11 12:57 PM, "Art Age Software" <art...@gm...> wrote: >I'm running into this on a fresh install of mod_security 2.5.12 with >crs_2.2.1 on CentOS 6. For every page request, I get **two** >occurrences in the error logs of this message: ModSecurity: Rule >execution error - PCRE limits exceeded (-8): (null) You need to see exactly which rules are triggering those. I am suspecting they are the new SQLi rules. Check the file/line number. > >I have been able to eliminate the error by setting: SecPcreMatchLimit 8000 > >However, this seems like an awfully high setting, given the default of >1500. Is this expected behavior, or should I be concerned? The concern is mainly related to performance/latency. > >And when the error occurs, does this indicate that mod-security has >halted rule processing for the request (i.e. dropped protection)? The error means that that particular rule has exited due to PCRE recursion limits. -Ryan > >Thanks. > >-------------------------------------------------------------------------- >---- >BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >The must-attend event for mobile developers. Connect with experts. >Get tools for creating Super Apps. See the latest technologies. >Sessions, hands-on labs, demos & much more. Register early & save! >http://p.sf.net/sfu/rim-blackberry-1 >_______________________________________________ >mod-security-users mailing list >mod...@li... >https://lists.sourceforge.net/lists/listinfo/mod-security-users >ModSecurity Services from Trustwave's SpiderLabs: >https://www.trustwave.com/spiderLabs.php This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Art A. S. <art...@gm...> - 2011-08-02 19:06:25
|
No line # given: --15a62c03-H-- Message: Rule execution error - PCRE limits exceeded (-8): (null). Message: Rule execution error - PCRE limits exceeded (-8): (null). Stopwatch: 1312311609099232 70395 (774 50679 69695) Response-Body-Transformed: Dechunked Producer: ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/); core ruleset/2.2.1. Server: Apache --15a62c03-Z-- Also, I don't need to increase the recursion limit - only the match limit - to eliminate the warning. On Tue, Aug 2, 2011 at 10:01 AM, Ryan Barnett <RBa...@tr...> wrote: > > On 8/2/11 12:57 PM, "Art Age Software" <art...@gm...> wrote: > >>I'm running into this on a fresh install of mod_security 2.5.12 with >>crs_2.2.1 on CentOS 6. For every page request, I get **two** >>occurrences in the error logs of this message: ModSecurity: Rule >>execution error - PCRE limits exceeded (-8): (null) > > You need to see exactly which rules are triggering those. I am suspecting > they are the new SQLi rules. Check the file/line number. > > >> >>I have been able to eliminate the error by setting: SecPcreMatchLimit 8000 >> >>However, this seems like an awfully high setting, given the default of >>1500. Is this expected behavior, or should I be concerned? > > The concern is mainly related to performance/latency. > >> >>And when the error occurs, does this indicate that mod-security has >>halted rule processing for the request (i.e. dropped protection)? > > The error means that that particular rule has exited due to PCRE recursion > limits. > > -Ryan > >> >>Thanks. >> >>-------------------------------------------------------------------------- >>---- >>BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA >>The must-attend event for mobile developers. Connect with experts. >>Get tools for creating Super Apps. See the latest technologies. >>Sessions, hands-on labs, demos & much more. Register early & save! >>http://p.sf.net/sfu/rim-blackberry-1 >>_______________________________________________ >>mod-security-users mailing list >>mod...@li... >>https://lists.sourceforge.net/lists/listinfo/mod-security-users >>ModSecurity Services from Trustwave's SpiderLabs: >>https://www.trustwave.com/spiderLabs.php > > > This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. > > |
From: Sean O'S. <dit...@ho...> - 2012-01-16 14:21:29
|
Hi all, Sorry to bring this topic up again, its all over google, but I upgraded modsec from 2.6 to 2.6.3 this morning and have been getting a lot of PCRE limits exceeded errors with modsecurity_crs_41_sql_injection_attacks.conf line 58. These were not happening before the upgrade. I am using the 2.2.3 ruleset. I created a new file which contains the SecPcreMatchLimit and SecPcreMatchLimitRecursion settings and no matter how large I create the limits I am still see the errors. I have increased them from 5000 to 1500000 (just for testing) and still see the errors. Am I missing something else? Thanks in advance all. Sean |
From: Breno S. <bre...@gm...> - 2012-01-16 14:38:47
|
Hi Sean, In modsec 2.6 we do not enable it by default. Try to compile : ./configure --enable-pcre-match-limit=10000 --enable-pcre-match-limit-recursion=10000 Breno On Mon, Jan 16, 2012 at 8:21 AM, Sean O'Sullivan <dit...@ho...>wrote: > Hi all, > > Sorry to bring this topic up again, its all over google, but I upgraded > modsec from 2.6 to 2.6.3 this morning and have been getting a lot of PCRE > limits exceeded errors with modsecurity_crs_41_sql_injection_attacks.conf > line 58. These were not happening before the upgrade. I am using the > 2.2.3 ruleset. I created a new file which contains the SecPcreMatchLimit > and SecPcreMatchLimitRecursion settings and no matter how large I create > the limits I am still see the errors. I have increased them from 5000 to > 1500000 (just for testing) and still see the errors. Am I missing > something else? Thanks in advance all. > > Sean > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Sean O'S. <dit...@ho...> - 2012-01-16 15:27:08
|
Hi Breno Thanks for the explanation. I did the compile with the pcre options, make && make install but its still happening. I have a log excerpt below. Once I put the server back inline I got hundreds of the errors, all relating to line 58 in the sqli rules, rule 950901. Is there something I'm missing? Is this error disruptive, i.e. is the session killed when the error happens? Thanks Breno. Message: Rule 7f70d2b9db20 [id "950901"][file "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"][line "58"] - Execution error - PCRE limits exceeded (-8): (null). Sean Date: Mon, 16 Jan 2012 08:38:35 -0600 Subject: Re: [mod-security-users] PCRE limits exceeded From: bre...@gm... To: dit...@ho... CC: mod...@li... Hi Sean, In modsec 2.6 we do not enable it by default. Try to compile : ./configure --enable-pcre-match-limit=10000 --enable-pcre-match-limit-recursion=10000 Breno On Mon, Jan 16, 2012 at 8:21 AM, Sean O'Sullivan <dit...@ho...> wrote: Hi all, Sorry to bring this topic up again, its all over google, but I upgraded modsec from 2.6 to 2.6.3 this morning and have been getting a lot of PCRE limits exceeded errors with modsecurity_crs_41_sql_injection_attacks.conf line 58. These were not happening before the upgrade. I am using the 2.2.3 ruleset. I created a new file which contains the SecPcreMatchLimit and SecPcreMatchLimitRecursion settings and no matter how large I create the limits I am still see the errors. I have increased them from 5000 to 1500000 (just for testing) and still see the errors. Am I missing something else? Thanks in advance all. Sean ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
From: Breno S. <bre...@gm...> - 2012-01-16 15:46:33
|
Are you still setting SecPcreMatchLimit ? What is the value ? Thanks Breno On Mon, Jan 16, 2012 at 9:26 AM, Sean O'Sullivan <dit...@ho...>wrote: > Hi Breno > > Thanks for the explanation. I did the compile with the pcre options, make > && make install but its still happening. I have a log excerpt below. Once > I put the server back inline I got hundreds of the errors, all relating to > line 58 in the sqli rules, rule 950901. Is there something I'm missing? > Is this error disruptive, i.e. is the session killed when the error > happens? Thanks Breno. > > Message: Rule 7f70d2b9db20 [id "950901"][file > "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"][line > "58"] - Execution error - PCRE limits exceeded (-8): (null). > > Sean > > ------------------------------ > Date: Mon, 16 Jan 2012 08:38:35 -0600 > Subject: Re: [mod-security-users] PCRE limits exceeded > From: bre...@gm... > To: dit...@ho... > CC: mod...@li... > > > Hi Sean, > > In modsec 2.6 we do not enable it by default. > > Try to compile : ./configure --enable-pcre-match-limit=10000 > --enable-pcre-match-limit-recursion=10000 > > Breno > > On Mon, Jan 16, 2012 at 8:21 AM, Sean O'Sullivan <dit...@ho...>wrote: > > Hi all, > > Sorry to bring this topic up again, its all over google, but I upgraded > modsec from 2.6 to 2.6.3 this morning and have been getting a lot of PCRE > limits exceeded errors with modsecurity_crs_41_sql_injection_attacks.conf > line 58. These were not happening before the upgrade. I am using the > 2.2.3 ruleset. I created a new file which contains the SecPcreMatchLimit > and SecPcreMatchLimitRecursion settings and no matter how large I create > the limits I am still see the errors. I have increased them from 5000 to > 1500000 (just for testing) and still see the errors. Am I missing > something else? Thanks in advance all. > > Sean > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > > > > ------------------------------------------------------------------------------ > RSA(R) Conference 2012 > Mar 27 - Feb 2 > Save $400 by Jan. 27 > Register now! > http://p.sf.net/sfu/rsa-sfdev2dev2 > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > |
From: Ryan B. <RBa...@tr...> - 2012-01-16 15:47:12
|
I think that the issue is with the use of repetition meta-chars in the regex when it receives certain payloads. Rule ID – 950901 – aims to identify SQL Injection Tautologies which are things like – 1=1, '2' = '2', "1" < "3", etc… The current regex tries to account for the presence or absence of quote chars however I believe it is hitting recursion limits based on the payloads. Can you please send me an audit log example of a request that is triggering this? I will look at improving the regex. Thanks, Ryan From: Sean O'Sullivan <dit...@ho...<mailto:dit...@ho...>> Date: Mon, 16 Jan 2012 09:26:57 -0600 To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] PCRE limits exceeded Hi Breno Thanks for the explanation. I did the compile with the pcre options, make && make install but its still happening. I have a log excerpt below. Once I put the server back inline I got hundreds of the errors, all relating to line 58 in the sqli rules, rule 950901. Is there something I'm missing? Is this error disruptive, i.e. is the session killed when the error happens? Thanks Breno. Message: Rule 7f70d2b9db20 [id "950901"][file "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"][line "58"] - Execution error - PCRE limits exceeded (-8): (null). Sean ________________________________ Date: Mon, 16 Jan 2012 08:38:35 -0600 Subject: Re: [mod-security-users] PCRE limits exceeded From: bre...@gm...<mailto:bre...@gm...> To: dit...@ho...<mailto:dit...@ho...> CC: mod...@li...<mailto:mod...@li...> Hi Sean, In modsec 2.6 we do not enable it by default. Try to compile : ./configure --enable-pcre-match-limit=10000 --enable-pcre-match-limit-recursion=10000 Breno On Mon, Jan 16, 2012 at 8:21 AM, Sean O'Sullivan <dit...@ho...<mailto:dit...@ho...>> wrote: Hi all, Sorry to bring this topic up again, its all over google, but I upgraded modsec from 2.6 to 2.6.3 this morning and have been getting a lot of PCRE limits exceeded errors with modsecurity_crs_41_sql_injection_attacks.conf line 58. These were not happening before the upgrade. I am using the 2.2.3 ruleset. I created a new file which contains the SecPcreMatchLimit and SecPcreMatchLimitRecursion settings and no matter how large I create the limits I am still see the errors. I have increased them from 5000 to 1500000 (just for testing) and still see the errors. Am I missing something else? Thanks in advance all. Sean ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
From: Mahmood N. <nt_...@ya...> - 2020-06-19 06:16:39
|
Hi I see some entries like [Thu Jun 18 11:22:36.512669 2020] [:error] [pid 129057] [client XXXXXXX:20101] [client XXXXXX] ModSecurity: Rule 7f26def146a0 [id "-"][file "/etc/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "433"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "DOMAIN.COM"] [uri "/mod/assign/view.php"] [unique_id "XusPM87nvNAwDeCAa568uQAAABo"], referer: https:// DOMAIN.COM/mod/assign/view.php?id=37801 I have checked the documents and some stated to set SecPcreMatchLimit 500000 SecPcreMatchLimitRecursion 500000 In /etc/modsecurity/modsecurity.conf but I am not sure about that. I don't know if a high or low value is recommended. Regards, Mahmood |
From: Christian F. <chr...@ne...> - 2020-06-19 07:10:29
|
Mahmood, This is a standard problem when using ModSec due to the PCRE library used. 500K is near the highest sane value in production. Go higher and you make a DoS attack more and more likely. If 500K does not solve it, then I would suggest to disable this rule for this URI. It is possible that other response-rules show the same symptoms. In that situation, disabling ResponseBody access for the given URI could be a valid alternative. One word of warning: I recommend to disable rules. This may lead to insecurity in this situation. One would need to assess the situation if it is worth it. Best, Christian On Fri, Jun 19, 2020 at 06:16:25AM +0000, Mahmood Naderan via mod-security-users wrote: > Hi > I see some entries like > > [Thu Jun 18 11:22:36.512669 2020] [:error] [pid 129057] [client XXXXXXX:20101] [client XXXXXX] ModSecurity: Rule 7f26def146a0 [id "-"][file "/etc/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "433"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "DOMAIN.COM"] [uri "/mod/assign/view.php"] [unique_id "XusPM87nvNAwDeCAa568uQAAABo"], referer: https:// DOMAIN.COM/mod/assign/view.php?id=37801 > > > > I have checked the documents and some stated to set > SecPcreMatchLimit 500000 > SecPcreMatchLimitRecursion 500000 > > > In /etc/modsecurity/modsecurity.conf but I am not sure about that. I don't know if a high or low value is recommended. > > > Regards, > Mahmood > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Jamie B. <ja...@ib...> - 2020-06-19 09:54:11
|
I'm hitting this too and have been gradually increasing from the default. Is this somewhat dependent on CPU speed? Sent from my iPhone > On 19 Jun 2020, at 08:12, Christian Folini <chr...@ne...> wrote: > > Mahmood, > > This is a standard problem when using ModSec due to the PCRE library used. > > 500K is near the highest sane value in production. Go higher and you make > a DoS attack more and more likely. > > If 500K does not solve it, then I would suggest to disable this rule > for this URI. It is possible that other response-rules show the same > symptoms. In that situation, disabling ResponseBody access for the > given URI could be a valid alternative. > > One word of warning: I recommend to disable rules. This may lead to > insecurity in this situation. One would need to assess the situation > if it is worth it. > > Best, > > Christian > > > >> On Fri, Jun 19, 2020 at 06:16:25AM +0000, Mahmood Naderan via mod-security-users wrote: >> Hi >> I see some entries like >> >> [Thu Jun 18 11:22:36.512669 2020] [:error] [pid 129057] [client XXXXXXX:20101] [client XXXXXX] ModSecurity: Rule 7f26def146a0 [id "-"][file "/etc/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "433"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "DOMAIN.COM"] [uri "/mod/assign/view.php"] [unique_id "XusPM87nvNAwDeCAa568uQAAABo"], referer: https:// DOMAIN.COM/mod/assign/view.php?id=37801 >> >> >> >> I have checked the documents and some stated to set >> SecPcreMatchLimit 500000 >> SecPcreMatchLimitRecursion 500000 >> >> >> In /etc/modsecurity/modsecurity.conf but I am not sure about that. I don't know if a high or low value is recommended. >> >> >> Regards, >> Mahmood > > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Mahmood N. <nt_...@ya...> - 2020-06-19 10:34:00
|
Thanks for the replies. Let me ask my question in another way. What happens if I set those parameters to 10 or 1000000000? Which one is more aggressive or conservative? Which one put pressure on CPU for false positives? Regards, Mahmood On Friday, June 19, 2020, 2:28:02 PM GMT+4:30, Jamie Burchell <ja...@ib...> wrote: I'm hitting this too and have been gradually increasing from the default. Is this somewhat dependent on CPU speed? Sent from my iPhone > On 19 Jun 2020, at 08:12, Christian Folini <chr...@ne...> wrote: > > Mahmood, > > This is a standard problem when using ModSec due to the PCRE library used. > > 500K is near the highest sane value in production. Go higher and you make > a DoS attack more and more likely. > > If 500K does not solve it, then I would suggest to disable this rule > for this URI. It is possible that other response-rules show the same > symptoms. In that situation, disabling ResponseBody access for the > given URI could be a valid alternative. > > One word of warning: I recommend to disable rules. This may lead to > insecurity in this situation. One would need to assess the situation > if it is worth it. > > Best, > > Christian > > > >> On Fri, Jun 19, 2020 at 06:16:25AM +0000, Mahmood Naderan via mod-security-users wrote: >> Hi >> I see some entries like >> >> [Thu Jun 18 11:22:36.512669 2020] [:error] [pid 129057] [client XXXXXXX:20101] [client XXXXXX] ModSecurity: Rule 7f26def146a0 [id "-"][file "/etc/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "433"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "DOMAIN.COM"] [uri "/mod/assign/view.php"] [unique_id "XusPM87nvNAwDeCAa568uQAAABo"], referer: https:// DOMAIN.COM/mod/assign/view.php?id=37801 >> >> >> >> I have checked the documents and some stated to set >> SecPcreMatchLimit 500000 >> SecPcreMatchLimitRecursion 500000 >> >> >> In /etc/modsecurity/modsecurity.conf but I am not sure about that. I don't know if a high or low value is recommended. >> >> >> Regards, >> Mahmood > > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
From: Ervin H. <ai...@gm...> - 2020-06-19 12:49:02
|
Hi all, > > On Friday, June 19, 2020, 2:28:02 PM GMT+4:30, Jamie Burchell <ja...@ib...> wrote: > > I'm hitting this too and have been gradually increasing from the default. Is this somewhat dependent on CPU speed? no, in merit it doesn't depends on CPU speed (the correct answer is it doesn't related). On Fri, Jun 19, 2020 at 10:33:46AM +0000, Mahmood Naderan via mod-security-users wrote: > Thanks for the replies. Let me ask my question in another way. > What happens if I set those parameters to 10 or 1000000000? > Which one is more aggressive or conservative? Which one put pressure on CPU for false positives? I'm afraid there isn't any good answer for this question. Here is the relevant part of code of mod_security2 module, let's see how handles it these limits: https://github.com/SpiderLabs/ModSecurity/blob/12cefbd70f2aab802e1bff53c50786f3b8b89359/apache2/re_operators.c#L1088-L1111 As you can see, if one of these values are reached, the operator will returns as "No match". So, if you keep it as lower value, the rule can be bypassed (limit reached early, rule returns as not matched). If you increase the values, your CPU may be working unnecessarily - it depends how long is the input. If it's short, the recursion will be also short. If the input is long, the recursion could be very long (I think it grows exponentially with the input), but as you see, when the limit reaches, that will mean the rule not matched (which is rather false negative than FP). I think this message in your log is a "warning", and it means you have to review that regex. As Christian wrote, the best thing what you can do is disable that rule. Hope this helped. a. |
From: Christian F. <chr...@ne...> - 2020-06-19 13:48:14
|
Mahmood, I've never done more than 1M on a production server. But it's not like the server breaks if you go beyond that value. It's just becominging more risky in terms of Denial of Service. So yes, you can do that, but I would avoid going beyond 1M. Cheers, Christian On Fri, Jun 19, 2020 at 10:33:46AM +0000, Mahmood Naderan via mod-security-users wrote: > Thanks for the replies. Let me ask my question in another way. > What happens if I set those parameters to 10 or 1000000000? > Which one is more aggressive or conservative? Which one put pressure on CPU for false positives? > > Regards, > Mahmood > > On Friday, June 19, 2020, 2:28:02 PM GMT+4:30, Jamie Burchell <ja...@ib...> wrote: > > I'm hitting this too and have been gradually increasing from the default. Is this somewhat dependent on CPU speed? > > Sent from my iPhone > > > On 19 Jun 2020, at 08:12, Christian Folini <chr...@ne...> wrote: > > > > Mahmood, > > > > This is a standard problem when using ModSec due to the PCRE library used. > > > > 500K is near the highest sane value in production. Go higher and you make > > a DoS attack more and more likely. > > > > If 500K does not solve it, then I would suggest to disable this rule > > for this URI. It is possible that other response-rules show the same > > symptoms. In that situation, disabling ResponseBody access for the > > given URI could be a valid alternative. > > > > One word of warning: I recommend to disable rules. This may lead to > > insecurity in this situation. One would need to assess the situation > > if it is worth it. > > > > Best, > > > > Christian > > > > > > > >> On Fri, Jun 19, 2020 at 06:16:25AM +0000, Mahmood Naderan via mod-security-users wrote: > >> Hi > >> I see some entries like > >> > >> [Thu Jun 18 11:22:36.512669 2020] [:error] [pid 129057] [client XXXXXXX:20101] [client XXXXXX] ModSecurity: Rule 7f26def146a0 [id "-"][file "/etc/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "433"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "DOMAIN.COM"] [uri "/mod/assign/view.php"] [unique_id "XusPM87nvNAwDeCAa568uQAAABo"], referer: https:// DOMAIN.COM/mod/assign/view.php?id=37801 > >> > >> > >> > >> I have checked the documents and some stated to set > >> SecPcreMatchLimit 500000 > >> SecPcreMatchLimitRecursion 500000 > >> > >> > >> In /etc/modsecurity/modsecurity.conf but I am not sure about that. I don't know if a high or low value is recommended. > >> > >> > >> Regards, > >> Mahmood > > > > > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: yersinia <yer...@gm...> - 2010-03-25 15:22:25
|
On Thu, Mar 25, 2010 at 3:53 PM, <AF...@ex...> wrote: > > Hi All - > > I'm running mod_security 2.5.12 with the CRS 2.0.6 in my test environment > (my production environment still has 1.x CRS). I'm having issues with a > home grown application built upon Apache MyFaces 1.x that produces a > rediculous amount of post parameters and the size of these parameters is > massive. These applications often generate "PCRE limits exceeded" in my > audit logs. Can this be due to the size and number of parameters? > > I've upped SecPcreMatchLimit and SecPcreMatchLimitRecursion, but it still > occurs (Currently at 5000). What was the old limit prior to 2.5.12? > > <http://www.modsecurity.org/breach/index.html>The default in 2.5.12 can be changed at configure time : --enable-pcre-match-limit=value and enable-pcre-match-limit-resursion=value. The --disable-pcre-match-limit-recursion and -disablepcre-match-limit configure limit revert-back to the default of the PCRE library. For PCRE the default (from the README) are " PCRE has a counter that can be set to limit the amount of resources it uses. If the limit is exceeded during a match, the match fails. The default is ten million. You can change the default by setting, for example, --with-match-limit=500000 on the "configure" command. This is just the default; individual calls to pcre_exec() can supply their own value. There is more discussion on the pcreapi man page. . There is a separate counter that limits the depth of recursive function calls during a matching process. This also has a default of ten million, which is essentially "unlimited". You can change the default by setting, for example, --with-match-limit-recursion=500000 Recursive function calls use up the runtime stack; running out of stack can cause programs to crash in strange ways. There is a discussion about stack sizes in the pcrestack man page." So, besides the old limit, IMHO could be useful to put x10 your values in mod_security as PCRE has values much largest by default. hth > > |
From: Ryan B. <rya...@br...> - 2010-03-25 18:43:29
|
On Thursday 25 March 2010 10:53:42 AF...@ex... wrote: > Hi All - > > I'm running mod_security 2.5.12 with the CRS 2.0.6 in my test environment > (my production environment still has 1.x CRS). I'm having issues with a > home grown application built upon Apache MyFaces 1.x that produces a > rediculous amount of post parameters and the size of these parameters is > massive. These applications often generate "PCRE limits exceeded" in my > audit logs. Can this be due to the size and number of parameters? > The payloads themselves do factor in, however this is really due to the translated php-ids filters. There are some differences in pre-processing that phpids does to normalize payloads before actually applying the filters/regexs. One of the normalizations is to actually look for potential RegEx DoS payloads and then to strip out data (such as repetitions of characters, etc...). This is critical to do this *before* the remainder of the filters are used as the regular expressions are written assuming that these payloads have been normalized. Since ModSecurity can accurately mimic this with our standard transformation functions, there are many rules from the phpids filters conf file that will trigger the new ModSecurity pcre limit error message when they inspect certain payloads. We are thinking about a few options for correcting this. If upping the limits in the config doesn't work, then you could review the debug log to see which specific phpids filters are causing the error and then chose to disable it or skip it under certain circumstances. -Ryan |
From: Ruiyuan J. <Rui...@li...> - 2010-03-25 19:25:46
|
Hi, all I have two Apache reverse proxy servers that has the same hardware: SunFire V210, 2 GB RAM, 2 SPARC CPUs and Solaris 10 with the same patch bundle installed. One of them has Apache 2.2.14 (pre-compiled by internet user), mod_security 2.5.11 (disabled) installed. The other is Apache 2.2.15 (compiled by me for now) and mod_security 2.5.12 with CRS 2.0.6. The server with Apache 2.2.14 runs fine no problem. The server with Apache 2.2.15 with mod security 2.5.12 runs out of swap space frequently. The Apache error log shows can't fork out new process. Since one has no problem and one has problem, I would think mod security caused the problem. Does mod security uses a lot of resources? Yesterday morning I rebooted the server because the swap space was low and my ssh session to the server was very slow. After rebooted the server, I watched swap space during the day and it showed over 2 GB swap space available. I stopped and started Apache during the evening and two hours later, I could not ssh to the server and could not get in to console. The box is kind of hang. Also I have another question, the backend server of the reverse proxy servers is another server that has apache with tomcat installed. The reverse proxy servers and the server communicate through http. From the apache log on the reverse proxy server that has mod security, I see a lot of messages: ModSecurity: Warning: Operator LT matched 20 at TX:inbound_anormaly_score, [file "../modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): HTTP header is restricted by policy"] [hostname "www.xxx.com"] [url "/xxx/xxx/xxx.png"] [unique_id "xxxx"] I changed the notification score from 10 to 5, otherwise the site was blocked to access. This happens to every web sites that proxied through and every pages of a web site. Is this normal or how should I configure mod security better? Thanks in advance. Ryan This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. |
From: Ruiyuan J. <Rui...@li...> - 2010-03-25 21:36:10
|
Hi, Brian Unfortunately I did not collect the web server stats. There are multiple virtual servers defined on the Apache. I can give you general information: * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). DS3 internet link * What rules you have enabled in the CRS (and what CRS version). I used all the rules in CRS 2.0.6. Include modsecurity/*.conf Include modsecurity/base_rules/*.conf Include modsecurity/optional_rules/*.conf * Speed of your CPUs. 2 x 1 Ghz UltraSPARC III. How do I turn off response inspection? When I did functionality test with little traffic, it worked fine. For the traffic, I only have production web servers and it causes me problem. On the box without Mod Security, the available virtual space is about 1.8 GB. On the box with Mod Security, the available virtual space is about 2 GB when it worked fine. Ryan -----Original Message----- From: Brian Rectanus [mailto:Bri...@br...] Sent: Thursday, March 25, 2010 4:54 PM To: Ruiyuan Jiang Cc: mod...@li... Subject: Re: [mod-security-users] The Apache reverse proxy server with mod security hang Ruiyuan Jiang wrote: > Hi, all > > I have two Apache reverse proxy servers that has the same hardware: > > SunFire V210, 2 GB RAM, 2 SPARC CPUs and Solaris 10 with the same patch bundle installed. > > One of them has Apache 2.2.14 (pre-compiled by internet user), mod_security 2.5.11 (disabled) installed. The other is Apache 2.2.15 (compiled by me for now) and mod_security 2.5.12 with CRS 2.0.6. > > The server with Apache 2.2.14 runs fine no problem. > The server with Apache 2.2.15 with mod security 2.5.12 runs out of swap space frequently. The Apache error log shows can't fork out new process. > > Since one has no problem and one has problem, I would think mod security caused the problem. Does mod security uses a lot of resources? Yesterday morning I rebooted the server because the swap space was low and my ssh session to the server was very slow. After rebooted the server, I watched swap space during the day and it showed over 2 GB swap space available. I stopped and started Apache during the evening and two hours later, I could not ssh to the server and could not get in to console. The box is kind of hang. > > Also I have another question, the backend server of the reverse proxy servers is another server that has apache with tomcat installed. The reverse proxy servers and the server communicate through http. From the apache log on the reverse proxy server that has mod security, I see a lot of messages: > > ModSecurity: Warning: Operator LT matched 20 at TX:inbound_anormaly_score, [file "../modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): HTTP header is restricted by policy"] [hostname "www.xxx.com"] [url "/xxx/xxx/xxx.png"] [unique_id "xxxx"] > > I changed the notification score from 10 to 5, otherwise the site was blocked to access. This happens to every web sites that proxied through and every pages of a web site. Is this normal or how should I configure mod security better? Thanks in advance. > Sounds like you have quite a bit of traffic and not enough RAM. I'd first try turning off response inspection and do not enable any of the optional CRS rules. You did not mention... * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). * What rules you have enabled in the CRS (and what CRS version). * Speed of your CPUs. * Memory usage without ModSecurity and with normal traffic. If you are tight on RAM already, ModSecurity + Full CRS may destroy you, heh. -B -- Brian Rectanus Breach Security This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. |
From: Brian R. <Bri...@br...> - 2010-03-25 20:54:01
|
Ruiyuan Jiang wrote: > Hi, all > > I have two Apache reverse proxy servers that has the same hardware: > > SunFire V210, 2 GB RAM, 2 SPARC CPUs and Solaris 10 with the same patch bundle installed. > > One of them has Apache 2.2.14 (pre-compiled by internet user), mod_security 2.5.11 (disabled) installed. The other is Apache 2.2.15 (compiled by me for now) and mod_security 2.5.12 with CRS 2.0.6. > > The server with Apache 2.2.14 runs fine no problem. > The server with Apache 2.2.15 with mod security 2.5.12 runs out of swap space frequently. The Apache error log shows can't fork out new process. > > Since one has no problem and one has problem, I would think mod security caused the problem. Does mod security uses a lot of resources? Yesterday morning I rebooted the server because the swap space was low and my ssh session to the server was very slow. After rebooted the server, I watched swap space during the day and it showed over 2 GB swap space available. I stopped and started Apache during the evening and two hours later, I could not ssh to the server and could not get in to console. The box is kind of hang. > > Also I have another question, the backend server of the reverse proxy servers is another server that has apache with tomcat installed. The reverse proxy servers and the server communicate through http. From the apache log on the reverse proxy server that has mod security, I see a lot of messages: > > ModSecurity: Warning: Operator LT matched 20 at TX:inbound_anormaly_score, [file "../modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): HTTP header is restricted by policy"] [hostname "www.xxx.com"] [url "/xxx/xxx/xxx.png"] [unique_id "xxxx"] > > I changed the notification score from 10 to 5, otherwise the site was blocked to access. This happens to every web sites that proxied through and every pages of a web site. Is this normal or how should I configure mod security better? Thanks in advance. > Sounds like you have quite a bit of traffic and not enough RAM. I'd first try turning off response inspection and do not enable any of the optional CRS rules. You did not mention... * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). * What rules you have enabled in the CRS (and what CRS version). * Speed of your CPUs. * Memory usage without ModSecurity and with normal traffic. If you are tight on RAM already, ModSecurity + Full CRS may destroy you, heh. -B -- Brian Rectanus Breach Security |
From: Chris W. <c.d...@re...> - 2010-03-25 21:23:47
|
On 25/03/2010 20:53, Brian Rectanus wrote: >> > > Sounds like you have quite a bit of traffic and not enough RAM. I'd > first try turning off response inspection and do not enable any of the > optional CRS rules. > > You did not mention... > > * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). > > * What rules you have enabled in the CRS (and what CRS version). > > * Speed of your CPUs. > > * Memory usage without ModSecurity and with normal traffic. If you are > tight on RAM already, ModSecurity + Full CRS may destroy you, heh. > > > -B > Also what Apache MPM module are you using? We used to run out of memory on our similar setup (V210s Sparc etc.) until we switched to using worker instead of prefork. Now we usually have 1GB RAM free on each server. The only downside is having to compile PHP with enable-maintainer-zts ("I really know what I'm doing" option to enable thread-safety), but PHP shouldn't really be running on a reverse-proxy anyway! Best Wishes, Chris -- --+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+- Christopher Wakelin, c.d...@re... IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439 Whiteknights, Reading, RG6 2AF, UK Fax: +44 (0)118 975 3094 |
From: Brian R. <Bri...@br...> - 2010-03-25 22:07:58
|
See some suggestions/comments below... Buy a ModSecurity book ;) Ivan's has a better performance tuning section and is much more detailed and Magnus' is a bit more introductory if all the technical aspects scare you ;) Ruiyuan Jiang wrote: > Hi, Brian > > Unfortunately I did not collect the web server stats. There are multiple virtual servers defined on the Apache. I can give you general information: > > * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). > > DS3 internet link And it is all being utilized for web traffic? ;) How much traffic is going to the web server? > > * What rules you have enabled in the CRS (and what CRS version). > > I used all the rules in CRS 2.0.6. > > Include modsecurity/*.conf > Include modsecurity/base_rules/*.conf > Include modsecurity/optional_rules/*.conf Don't do that ;) Start slower. Especially on a production site. Make sure response body inspection is off in the config for now. Include the basics first. Something like this (though I would *ALWAYS* list them all out explicitly instead of using the globbing, then comment the ones out I did not want): # Config modsecurity/modsecurity_crs_10_config.conf # Basics modsecurity/base_rules/modsecurity_crs_2*.conf modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf modsecurity/base_rules/modsecurity_crs_41_xss_attacks.conf # Exceptions modsecurity/base_rules/modsecurity_crs_47_common_exceptions.conf modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf # Blocking/Correlation modsecurity/base_rules/modsecurity_crs_49*.conf modsecurity/base_rules/modsecurity_crs_6*.conf Do not include the phpids rules (you don't have the resources). Do not include the et (Emerging Threat) rules (again, you do not have the resources). ***IGNORE THE OPTIONAL RULES FOR NOW*** Can I make that any clearer? How about again: ***IGNORE THE OPTIONAL RULES FOR NOW*** ;) Do not enable things you do not need. If you do not run a backend database, then no need to run the SQL injection rules. > > * Speed of your CPUs. > > 2 x 1 Ghz UltraSPARC III. Well, if you really have that much traffic and really want to enable all CRS rules, then you need a bigger machine. Or, better, you need to do some serious tuning. > > How do I turn off response inspection? When I did functionality test with little traffic, it worked fine. For the traffic, I only have production web servers and it causes me problem. SecResponseBodyAccess Off > > On the box without Mod Security, the available virtual space is about 1.8 GB. On the box with Mod Security, the available virtual space is about 2 GB when it worked fine. What do you mean by "virtual space"? Real RAM or swap or combined? Hope that helps. If you have more on CRS specifically, then use the other CRS list. -B > > Ryan > > > -----Original Message----- > From: Brian Rectanus [mailto:Bri...@br...] > Sent: Thursday, March 25, 2010 4:54 PM > To: Ruiyuan Jiang > Cc: mod...@li... > Subject: Re: [mod-security-users] The Apache reverse proxy server with mod security hang > > Ruiyuan Jiang wrote: >> Hi, all >> >> I have two Apache reverse proxy servers that has the same hardware: >> >> SunFire V210, 2 GB RAM, 2 SPARC CPUs and Solaris 10 with the same patch bundle installed. >> >> One of them has Apache 2.2.14 (pre-compiled by internet user), mod_security 2.5.11 (disabled) installed. The other is Apache 2.2.15 (compiled by me for now) and mod_security 2.5.12 with CRS 2.0.6. >> >> The server with Apache 2.2.14 runs fine no problem. >> The server with Apache 2.2.15 with mod security 2.5.12 runs out of swap space frequently. The Apache error log shows can't fork out new process. >> >> Since one has no problem and one has problem, I would think mod security caused the problem. Does mod security uses a lot of resources? Yesterday morning I rebooted the server because the swap space was low and my ssh session to the server was very slow. After rebooted the server, I watched swap space during the day and it showed over 2 GB swap space available. I stopped and started Apache during the evening and two hours later, I could not ssh to the server and could not get in to console. The box is kind of hang. >> >> Also I have another question, the backend server of the reverse proxy servers is another server that has apache with tomcat installed. The reverse proxy servers and the server communicate through http. From the apache log on the reverse proxy server that has mod security, I see a lot of messages: >> >> ModSecurity: Warning: Operator LT matched 20 at TX:inbound_anormaly_score, [file "../modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): HTTP header is restricted by policy"] [hostname "www.xxx.com"] [url "/xxx/xxx/xxx.png"] [unique_id "xxxx"] >> >> I changed the notification score from 10 to 5, otherwise the site was blocked to access. This happens to every web sites that proxied through and every pages of a web site. Is this normal or how should I configure mod security better? Thanks in advance. > > > Sounds like you have quite a bit of traffic and not enough RAM. I'd > first try turning off response inspection and do not enable any of the > optional CRS rules. > > You did not mention... > > * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). > > * What rules you have enabled in the CRS (and what CRS version). > > * Speed of your CPUs. > > * Memory usage without ModSecurity and with normal traffic. If you are > tight on RAM already, ModSecurity + Full CRS may destroy you, heh. > > > -B > -- Brian Rectanus Breach Security |
From: Ruiyuan J. <Rui...@li...> - 2010-03-25 22:14:45
|
Thanks, Brian I will use Oracle DB at the backend, MS Exchange server and maybe SQL server (I am not sure, I might have a SQL server at backend for one app.). -----Original Message----- From: Brian Rectanus [mailto:Bri...@br...] Sent: Thursday, March 25, 2010 6:08 PM To: Ruiyuan Jiang Cc: mod...@li... Subject: Re: [mod-security-users] The Apache reverse proxy server with mod security hang See some suggestions/comments below... Buy a ModSecurity book ;) Ivan's has a better performance tuning section and is much more detailed and Magnus' is a bit more introductory if all the technical aspects scare you ;) Ruiyuan Jiang wrote: > Hi, Brian > > Unfortunately I did not collect the web server stats. There are multiple virtual servers defined on the Apache. I can give you general information: > > * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). > > DS3 internet link And it is all being utilized for web traffic? ;) How much traffic is going to the web server? > > * What rules you have enabled in the CRS (and what CRS version). > > I used all the rules in CRS 2.0.6. > > Include modsecurity/*.conf > Include modsecurity/base_rules/*.conf > Include modsecurity/optional_rules/*.conf Don't do that ;) Start slower. Especially on a production site. Make sure response body inspection is off in the config for now. Include the basics first. Something like this (though I would *ALWAYS* list them all out explicitly instead of using the globbing, then comment the ones out I did not want): # Config modsecurity/modsecurity_crs_10_config.conf # Basics modsecurity/base_rules/modsecurity_crs_2*.conf modsecurity/base_rules/modsecurity_crs_40_generic_attacks.conf modsecurity/base_rules/modsecurity_crs_41_sql_injection_attacks.conf modsecurity/base_rules/modsecurity_crs_41_xss_attacks.conf # Exceptions modsecurity/base_rules/modsecurity_crs_47_common_exceptions.conf modsecurity/base_rules/modsecurity_crs_48_local_exceptions.conf # Blocking/Correlation modsecurity/base_rules/modsecurity_crs_49*.conf modsecurity/base_rules/modsecurity_crs_6*.conf Do not include the phpids rules (you don't have the resources). Do not include the et (Emerging Threat) rules (again, you do not have the resources). ***IGNORE THE OPTIONAL RULES FOR NOW*** Can I make that any clearer? How about again: ***IGNORE THE OPTIONAL RULES FOR NOW*** ;) Do not enable things you do not need. If you do not run a backend database, then no need to run the SQL injection rules. > > * Speed of your CPUs. > > 2 x 1 Ghz UltraSPARC III. Well, if you really have that much traffic and really want to enable all CRS rules, then you need a bigger machine. Or, better, you need to do some serious tuning. > > How do I turn off response inspection? When I did functionality test with little traffic, it worked fine. For the traffic, I only have production web servers and it causes me problem. SecResponseBodyAccess Off > > On the box without Mod Security, the available virtual space is about 1.8 GB. On the box with Mod Security, the available virtual space is about 2 GB when it worked fine. What do you mean by "virtual space"? Real RAM or swap or combined? Hope that helps. If you have more on CRS specifically, then use the other CRS list. -B > > Ryan > > > -----Original Message----- > From: Brian Rectanus [mailto:Bri...@br...] > Sent: Thursday, March 25, 2010 4:54 PM > To: Ruiyuan Jiang > Cc: mod...@li... > Subject: Re: [mod-security-users] The Apache reverse proxy server with mod security hang > > Ruiyuan Jiang wrote: >> Hi, all >> >> I have two Apache reverse proxy servers that has the same hardware: >> >> SunFire V210, 2 GB RAM, 2 SPARC CPUs and Solaris 10 with the same patch bundle installed. >> >> One of them has Apache 2.2.14 (pre-compiled by internet user), mod_security 2.5.11 (disabled) installed. The other is Apache 2.2.15 (compiled by me for now) and mod_security 2.5.12 with CRS 2.0.6. >> >> The server with Apache 2.2.14 runs fine no problem. >> The server with Apache 2.2.15 with mod security 2.5.12 runs out of swap space frequently. The Apache error log shows can't fork out new process. >> >> Since one has no problem and one has problem, I would think mod security caused the problem. Does mod security uses a lot of resources? Yesterday morning I rebooted the server because the swap space was low and my ssh session to the server was very slow. After rebooted the server, I watched swap space during the day and it showed over 2 GB swap space available. I stopped and started Apache during the evening and two hours later, I could not ssh to the server and could not get in to console. The box is kind of hang. >> >> Also I have another question, the backend server of the reverse proxy servers is another server that has apache with tomcat installed. The reverse proxy servers and the server communicate through http. From the apache log on the reverse proxy server that has mod security, I see a lot of messages: >> >> ModSecurity: Warning: Operator LT matched 20 at TX:inbound_anormaly_score, [file "../modsecurity/base_rules/modsecurity_crs_60_correlation.conf"] [line "31"] [msg "Inbound Anomaly Score (Total Inbound Score: 5, SQLi=, XSS=): HTTP header is restricted by policy"] [hostname "www.xxx.com"] [url "/xxx/xxx/xxx.png"] [unique_id "xxxx"] >> >> I changed the notification score from 10 to 5, otherwise the site was blocked to access. This happens to every web sites that proxied through and every pages of a web site. Is this normal or how should I configure mod security better? Thanks in advance. > > > Sounds like you have quite a bit of traffic and not enough RAM. I'd > first try turning off response inspection and do not enable any of the > optional CRS rules. > > You did not mention... > > * How much traffic you get (bandwidth, connections/sec, requests/sec, etc.). > > * What rules you have enabled in the CRS (and what CRS version). > > * Speed of your CPUs. > > * Memory usage without ModSecurity and with normal traffic. If you are > tight on RAM already, ModSecurity + Full CRS may destroy you, heh. > > > -B > -- Brian Rectanus Breach Security This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. |