Re: [mod-security-users] PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] PCRE limits exceeded
|
From: Mahmood N. <nt_...@ya...> - 2020-06-19 10:34:00
|
Thanks for the replies. Let me ask my question in another way.
What happens if I set those parameters to 10 or 1000000000?
Which one is more aggressive or conservative? Which one put pressure on CPU for false positives?
Regards,
Mahmood
On Friday, June 19, 2020, 2:28:02 PM GMT+4:30, Jamie Burchell <ja...@ib...> wrote:
I'm hitting this too and have been gradually increasing from the default. Is this somewhat dependent on CPU speed?
Sent from my iPhone
> On 19 Jun 2020, at 08:12, Christian Folini <chr...@ne...> wrote:
>
> Mahmood,
>
> This is a standard problem when using ModSec due to the PCRE library used.
>
> 500K is near the highest sane value in production. Go higher and you make
> a DoS attack more and more likely.
>
> If 500K does not solve it, then I would suggest to disable this rule
> for this URI. It is possible that other response-rules show the same
> symptoms. In that situation, disabling ResponseBody access for the
> given URI could be a valid alternative.
>
> One word of warning: I recommend to disable rules. This may lead to
> insecurity in this situation. One would need to assess the situation
> if it is worth it.
>
> Best,
>
> Christian
>
>
>
>> On Fri, Jun 19, 2020 at 06:16:25AM +0000, Mahmood Naderan via mod-security-users wrote:
>> Hi
>> I see some entries like
>>
>> [Thu Jun 18 11:22:36.512669 2020] [:error] [pid 129057] [client XXXXXXX:20101] [client XXXXXX] ModSecurity: Rule 7f26def146a0 [id "-"][file "/etc/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "433"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "DOMAIN.COM"] [uri "/mod/assign/view.php"] [unique_id "XusPM87nvNAwDeCAa568uQAAABo"], referer: https:// DOMAIN.COM/mod/assign/view.php?id=37801
>>
>>
>>
>> I have checked the documents and some stated to set
>> SecPcreMatchLimit 500000
>> SecPcreMatchLimitRecursion 500000
>>
>>
>> In /etc/modsecurity/modsecurity.conf but I am not sure about that. I don't know if a high or low value is recommended.
>>
>>
>> Regards,
>> Mahmood
>
>
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
>> http://www.modsecurity.org/projects/commercial/rules/
>> http://www.modsecurity.org/projects/commercial/support/
>
>
>
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
_______________________________________________
mod-security-users mailing list
mod...@li...
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/
|
