|
From: Felipe C. <FC...@tr...> - 2014-10-30 17:31:50
|
Hi, Did you had a chance to test this branch in a clean environment? (new clone or even: git clean fxd) Can you share some info on your test environment? So I can try to replicate it hereŠ Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> From: Bruno de Almeida <br...@sa...> Reply-To: "mod...@li..." <mod...@li...> Date: Thursday, October 30, 2014 2:20 PM To: "mod...@li..." <mod...@li...> Cc: "mod...@li..." <mod...@li...> Subject: Re: [Mod-security-developers] [mod-security-users] Does SecPcreMatchLimit work? Thanks Felipe, but unless I've done something wrong, I got exactly the same behaviour. Compiling with default and increase values in config, I still got the error. Compiling with -enable-pcre-match-limit=200000 and decrease the values in config, I didn't get the errors. Bruno On 30 October 2014 12:36, Felipe Costa <FC...@tr...> wrote: Hi Bruno, It seems that those limits - while specified using SecPcreMatchLimit and SecPcreMatchLimitRecursion - was not being verified in 100% of the cases. Just made a quick patch to enforce those limits verification in 100% of the cases, it is currently being checked by our buildbots, it is available at this branch: https://github.com/SpiderLabs/ModSecurity/tree/bruno_SecPcreMatchLimit <http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz NITZTb1Q&s=5&u=https%3a%2f%2fgithub%2ecom%2fSpiderLabs%2fModSecurity%2ftree %2fbruno%5fSecPcreMatchLimit> Can you test it? Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com> <http://www.trustwave.com/> From: Bruno de Almeida <br...@sa...> Reply-To: "mod...@li..." <mod...@li...> Date: Thursday, October 30, 2014 11:56 AM To: "mod...@li..." <mod...@li...> Subject: [mod-security-users] Does SecPcreMatchLimit work? Hi All, I'm upgrading modsec and the owaps_crs ruls on some of our servers and I ran into a bit of an issue with some of the owasp rules, specifically the XSS ones that inspect Cookies. We have some rather large Cookie headers on our setup and I noticed that after compiling mod_sec with the following options, I was getting a LOT of 'Execution error - PCRE limits exceeded' errors. --host=x86_64-redhat-linux-gnu \ --build=x86_64-redhat-linux-gnu \ --target=x86_64-redhat-linux \ --with-apxs=%{_apacheroot}/bin/apxs \ --with-apr=%{_apacheroot}/bin/apr-1-config \ --with-apu=%{_apacheroot}/bin/apu-1-config \ --with-pcre=%{include_pcre} \ --with-libxml=%{include_libxml2} \ --enable-pcre-jit \ --enable-pcre-study \ --enable-lua-cache \ I tried to increase SecPcreMatchLimit and SecPcreMatchLimitRecursion to very high numbers and it didn't make any difference. I also found that 3985 bytes was the maximum Cookie header size mod_sec would accept. 1 byte more and it would throw the PCRE limits exceeded error. I then re-compiled mod_sec and added these options: --enable-pcre-match-limit=200000 \ --enable-pcre-match-limit-recursion=200000 And the problem was gone, but I then tried to decrease the limits to very low numbers and I still wouldn't get the errors, which kind of tells me that changing these values after compilation doesn't work. These are the versions I'm running: [Thu Oct 30 14:47:12 2014] [notice] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/ <http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz ZIFcTf3g&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f> <http://scanmail.trustwave.com/?c=4062&d=5tjS1In-ovEV28gWsuStqSbOwvejzmh-LC HFLJO5Bw&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f <http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGdz ZIFcTf3g&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2f>>) configured. [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: APR compiled version="1.5.1"; loaded version="1.5.1" [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: PCRE compiled version="8.36 "; loaded version="8.36 2014-09-26" [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LUA compiled version="Lua 5.1" [Thu Oct 30 14:47:12 2014] [notice] ModSecurity: LIBXML compiled version="2.9.1" Thanks, -- - Bruno ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. --------------------------------------------------------------------------- --- _______________________________________________ mod-security-developers mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-developers <http://scanmail.trustwave.com/?c=4062&d=kfPS1CdsVpYA1mTb4IMKHhxGWCezydKGd2 FLTMXcgw&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo%2 fmod-security-developers> ModSecurity Services from Trustwave's SpiderLabs: https://www.trustwave.com/spiderLabs.php -- - Bruno ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
