Re: [mod-security-users] PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ne...> - 2020-06-19 07:10:29
|
Mahmood, This is a standard problem when using ModSec due to the PCRE library used. 500K is near the highest sane value in production. Go higher and you make a DoS attack more and more likely. If 500K does not solve it, then I would suggest to disable this rule for this URI. It is possible that other response-rules show the same symptoms. In that situation, disabling ResponseBody access for the given URI could be a valid alternative. One word of warning: I recommend to disable rules. This may lead to insecurity in this situation. One would need to assess the situation if it is worth it. Best, Christian On Fri, Jun 19, 2020 at 06:16:25AM +0000, Mahmood Naderan via mod-security-users wrote: > Hi > I see some entries like > > [Thu Jun 18 11:22:36.512669 2020] [:error] [pid 129057] [client XXXXXXX:20101] [client XXXXXX] ModSecurity: Rule 7f26def146a0 [id "-"][file "/etc/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "433"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "DOMAIN.COM"] [uri "/mod/assign/view.php"] [unique_id "XusPM87nvNAwDeCAa568uQAAABo"], referer: https:// DOMAIN.COM/mod/assign/view.php?id=37801 > > > > I have checked the documents and some stated to set > SecPcreMatchLimit 500000 > SecPcreMatchLimitRecursion 500000 > > > In /etc/modsecurity/modsecurity.conf but I am not sure about that. I don't know if a high or low value is recommended. > > > Regards, > Mahmood > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |