Re: [mod-security-users] PCRE limits exceeded

[Ryan B. <rya...@br...>]

On Thursday 25 March 2010 10:53:42 AF...@ex... wrote:
> Hi All -
> 
> I'm running mod_security 2.5.12 with the CRS 2.0.6 in my test environment
> (my production environment still has 1.x CRS).  I'm having issues with a
> home grown application built upon Apache MyFaces 1.x that produces a
> rediculous amount of post parameters and the size of these parameters is
> massive. These applications often generate "PCRE limits exceeded" in my
> audit logs.  Can this be due to the size and number of parameters?
> 

The payloads themselves do factor in, however this is really due to the translated php-ids 
filters.  There are some differences in pre-processing that phpids does to normalize 
payloads before actually applying the filters/regexs.  One of the normalizations is to 
actually look for potential RegEx DoS payloads and then to strip out data (such as 
repetitions of characters, etc...).  This is critical to do this *before* the remainder of 
the filters are used as the regular expressions are written assuming that these payloads 
have been normalized.  Since ModSecurity can accurately mimic this with our standard 
transformation functions, there are many rules from the phpids filters conf file that will 
trigger the new ModSecurity pcre limit error message when they inspect certain payloads.

We are thinking about a few options for correcting this.  If upping the limits in the 
config doesn't work, then you could review the debug log to see which specific phpids filters 
are causing the error and then chose to disable it or skip it under certain circumstances.

-Ryan