|
From: Bruno de A. <br...@sa...> - 2014-10-30 17:20:42
|
Thanks Felipe, but unless I've done something wrong, I got exactly the same behaviour. Compiling with default and increase values in config, I still got the error. Compiling with -enable-pcre-match-limit=200000 and decrease the values in config, I didn't get the errors. Bruno On 30 October 2014 12:36, Felipe Costa <FC...@tr...> wrote: > Hi Bruno, > > It seems that those limits - while specified using SecPcreMatchLimit and > SecPcreMatchLimitRecursion - was not being verified in 100% of the cases. > > Just made a quick patch to enforce those limits verification in 100% of > the cases, it is currently being checked by our buildbots, it is available > at this branch: > > > https://github.com/SpiderLabs/ModSecurity/tree/bruno_SecPcreMatchLimit > > Can you test it? > > Br., > Felipe "Zimmerle" Costa > Security Researcher, SpiderLabs > > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com <http://www.trustwave.com/> > > > > > > > > From: Bruno de Almeida <br...@sa...> > Reply-To: "mod...@li..." > <mod...@li...> > Date: Thursday, October 30, 2014 11:56 AM > To: "mod...@li..." > <mod...@li...> > Subject: [mod-security-users] Does SecPcreMatchLimit work? > > > Hi All, > > I'm upgrading modsec and the owaps_crs ruls on some of our servers and I > ran into a bit of an issue with some of the owasp rules, specifically the > XSS ones that inspect Cookies. > > We have some rather large Cookie headers on our setup and I noticed that > after compiling mod_sec with the following options, I was getting a LOT of > 'Execution error - PCRE limits exceeded' errors. > > --host=x86_64-redhat-linux-gnu \ > --build=x86_64-redhat-linux-gnu \ > --target=x86_64-redhat-linux \ > --with-apxs=%{_apacheroot}/bin/apxs \ > --with-apr=%{_apacheroot}/bin/apr-1-config \ > --with-apu=%{_apacheroot}/bin/apu-1-config \ > --with-pcre=%{include_pcre} \ > --with-libxml=%{include_libxml2} \ > --enable-pcre-jit \ > --enable-pcre-study \ > --enable-lua-cache \ > > > I tried to increase SecPcreMatchLimit and SecPcreMatchLimitRecursion to > very high numbers and it didn't make any difference. > > > I also found that 3985 bytes was the maximum Cookie header size mod_sec > would accept. 1 byte more and it would throw the PCRE limits exceeded > error. > > > I then re-compiled mod_sec and added these options: > > --enable-pcre-match-limit=200000 \ > --enable-pcre-match-limit-recursion=200000 > > > And the problem was gone, but I then tried to decrease the limits to very > low numbers and I still wouldn't get the errors, which kind of tells me > that changing these values after compilation doesn't work. > > These are the versions I'm running: > > [Thu Oct 30 14:47:12 2014] [notice] ModSecurity for Apache/2.8.0 > (http://www.modsecurity.org/ > < > http://scanmail.trustwave.com/?c=4062&d=5tjS1In-ovEV28gWsuStqSbOwvejzmh-LC > HFLJO5Bw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>) configured. > [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: APR compiled > version="1.5.1"; loaded version="1.5.1" > [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: PCRE compiled > version="8.36 "; loaded version="8.36 2014-09-26" > [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LUA compiled version="Lua > 5.1" > [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LIBXML compiled > version="2.9.1" > > > > Thanks, > > > > -- > - Bruno > > > ________________________________ > > This transmission may contain information that is privileged, > confidential, and/or exempt from disclosure under applicable law. If you > are not the intended recipient, you are hereby notified that any > disclosure, copying, distribution, or use of the information contained > herein (including any reliance thereon) is strictly prohibited. If you > received this transmission in error, please immediately contact the sender > and destroy the material in its entirety, whether in electronic or hard > copy format. > > > ------------------------------------------------------------------------------ > _______________________________________________ > mod-security-developers mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-developers > ModSecurity Services from Trustwave's SpiderLabs: > https://www.trustwave.com/spiderLabs.php > -- - Bruno |
