Re: [mod-security-users] PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] PCRE limits exceeded
|
From: Ryan B. <RBa...@tr...> - 2012-01-16 15:47:12
|
I think that the issue is with the use of repetition meta-chars in the regex when it receives certain payloads. Rule ID – 950901 – aims to identify SQL Injection Tautologies which are things like – 1=1, '2' = '2', "1" < "3", etc… The current regex tries to account for the presence or absence of quote chars however I believe it is hitting recursion limits based on the payloads. Can you please send me an audit log example of a request that is triggering this? I will look at improving the regex. Thanks, Ryan From: Sean O'Sullivan <dit...@ho...<mailto:dit...@ho...>> Date: Mon, 16 Jan 2012 09:26:57 -0600 To: "mod...@li...<mailto:mod...@li...>" <mod...@li...<mailto:mod...@li...>> Subject: Re: [mod-security-users] PCRE limits exceeded Hi Breno Thanks for the explanation. I did the compile with the pcre options, make && make install but its still happening. I have a log excerpt below. Once I put the server back inline I got hundreds of the errors, all relating to line 58 in the sqli rules, rule 950901. Is there something I'm missing? Is this error disruptive, i.e. is the session killed when the error happens? Thanks Breno. Message: Rule 7f70d2b9db20 [id "950901"][file "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"][line "58"] - Execution error - PCRE limits exceeded (-8): (null). Sean ________________________________ Date: Mon, 16 Jan 2012 08:38:35 -0600 Subject: Re: [mod-security-users] PCRE limits exceeded From: bre...@gm...<mailto:bre...@gm...> To: dit...@ho...<mailto:dit...@ho...> CC: mod...@li...<mailto:mod...@li...> Hi Sean, In modsec 2.6 we do not enable it by default. Try to compile : ./configure --enable-pcre-match-limit=10000 --enable-pcre-match-limit-recursion=10000 Breno On Mon, Jan 16, 2012 at 8:21 AM, Sean O'Sullivan <dit...@ho...<mailto:dit...@ho...>> wrote: Hi all, Sorry to bring this topic up again, its all over google, but I upgraded modsec from 2.6 to 2.6.3 this morning and have been getting a lot of PCRE limits exceeded errors with modsecurity_crs_41_sql_injection_attacks.conf line 58. These were not happening before the upgrade. I am using the 2.2.3 ruleset. I created a new file which contains the SecPcreMatchLimit and SecPcreMatchLimitRecursion settings and no matter how large I create the limits I am still see the errors. I have increased them from 5000 to 1500000 (just for testing) and still see the errors. Am I missing something else? Thanks in advance all. Sean ------------------------------------------------------------------------------ RSA(R) Conference 2012 Mar 27 - Feb 2 Save $400 by Jan. 27 Register now! http://p.sf.net/sfu/rsa-sfdev2dev2 _______________________________________________ mod-security-users mailing list mod...@li...<mailto:mod...@li...> https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
