|
From: Felipe C. <FC...@tr...> - 2014-10-30 16:36:42
|
Hi Bruno, It seems that those limits - while specified using SecPcreMatchLimit and SecPcreMatchLimitRecursion - was not being verified in 100% of the cases. Just made a quick patch to enforce those limits verification in 100% of the cases, it is currently being checked by our buildbots, it is available at this branch: https://github.com/SpiderLabs/ModSecurity/tree/bruno_SecPcreMatchLimit Can you test it? Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> From: Bruno de Almeida <br...@sa...> Reply-To: "mod...@li..." <mod...@li...> Date: Thursday, October 30, 2014 11:56 AM To: "mod...@li..." <mod...@li...> Subject: [mod-security-users] Does SecPcreMatchLimit work? Hi All, I'm upgrading modsec and the owaps_crs ruls on some of our servers and I ran into a bit of an issue with some of the owasp rules, specifically the XSS ones that inspect Cookies. We have some rather large Cookie headers on our setup and I noticed that after compiling mod_sec with the following options, I was getting a LOT of 'Execution error - PCRE limits exceeded' errors. --host=x86_64-redhat-linux-gnu \ --build=x86_64-redhat-linux-gnu \ --target=x86_64-redhat-linux \ --with-apxs=%{_apacheroot}/bin/apxs \ --with-apr=%{_apacheroot}/bin/apr-1-config \ --with-apu=%{_apacheroot}/bin/apu-1-config \ --with-pcre=%{include_pcre} \ --with-libxml=%{include_libxml2} \ --enable-pcre-jit \ --enable-pcre-study \ --enable-lua-cache \ I tried to increase SecPcreMatchLimit and SecPcreMatchLimitRecursion to very high numbers and it didn't make any difference. I also found that 3985 bytes was the maximum Cookie header size mod_sec would accept. 1 byte more and it would throw the PCRE limits exceeded error. I then re-compiled mod_sec and added these options: --enable-pcre-match-limit=200000 \ --enable-pcre-match-limit-recursion=200000 And the problem was gone, but I then tried to decrease the limits to very low numbers and I still wouldn't get the errors, which kind of tells me that changing these values after compilation doesn't work. These are the versions I'm running: [Thu Oct 30 14:47:12 2014] [notice] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/ <http://scanmail.trustwave.com/?c=4062&d=5tjS1In-ovEV28gWsuStqSbOwvejzmh-LC HFLJO5Bw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>) configured. [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1" [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: PCRE compiled version="8.36 "; loaded version="8.36 2014-09-26" [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LIBXML compiled version="2.9.1" Thanks, -- - Bruno ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
