Re: [mod-security-users] PCRE limits exceeded

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On 8/2/11 12:57 PM, "Art Age Software" <art...@gm...> wrote:

>I'm running into this on a fresh install of mod_security 2.5.12 with
>crs_2.2.1 on CentOS 6. For every page request, I get **two**
>occurrences in the error logs of this message: ModSecurity: Rule
>execution error - PCRE limits exceeded (-8): (null)

You need to see exactly which rules are triggering those.  I am suspecting
they are the new SQLi rules.  Check the file/line number.

>
>I have been able to eliminate the error by setting: SecPcreMatchLimit 8000
>
>However, this seems like an awfully high setting, given the default of
>1500. Is this expected behavior, or should I be concerned?

The concern is mainly related to performance/latency.

>
>And when the error occurs, does this indicate that mod-security has
>halted rule processing for the request (i.e. dropped protection)?

The error means that that particular rule has exited due to PCRE recursion
limits.

-Ryan

>
>Thanks.
>
>--------------------------------------------------------------------------
>----
>BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
>The must-attend event for mobile developers. Connect with experts.
>Get tools for creating Super Apps. See the latest technologies.
>Sessions, hands-on labs, demos & much more. Register early & save!
>http://p.sf.net/sfu/rim-blackberry-1
>_______________________________________________
>mod-security-users mailing list
>mod...@li...
>https://lists.sourceforge.net/lists/listinfo/mod-security-users
>ModSecurity Services from Trustwave's SpiderLabs:
>https://www.trustwave.com/spiderLabs.php

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.