Re: [mod-security-users] PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
From: Mahmood N. <nt_...@ya...> - 2020-06-19 10:34:00
|
Thanks for the replies. Let me ask my question in another way. What happens if I set those parameters to 10 or 1000000000? Which one is more aggressive or conservative? Which one put pressure on CPU for false positives? Regards, Mahmood On Friday, June 19, 2020, 2:28:02 PM GMT+4:30, Jamie Burchell <ja...@ib...> wrote: I'm hitting this too and have been gradually increasing from the default. Is this somewhat dependent on CPU speed? Sent from my iPhone > On 19 Jun 2020, at 08:12, Christian Folini <chr...@ne...> wrote: > > Mahmood, > > This is a standard problem when using ModSec due to the PCRE library used. > > 500K is near the highest sane value in production. Go higher and you make > a DoS attack more and more likely. > > If 500K does not solve it, then I would suggest to disable this rule > for this URI. It is possible that other response-rules show the same > symptoms. In that situation, disabling ResponseBody access for the > given URI could be a valid alternative. > > One word of warning: I recommend to disable rules. This may lead to > insecurity in this situation. One would need to assess the situation > if it is worth it. > > Best, > > Christian > > > >> On Fri, Jun 19, 2020 at 06:16:25AM +0000, Mahmood Naderan via mod-security-users wrote: >> Hi >> I see some entries like >> >> [Thu Jun 18 11:22:36.512669 2020] [:error] [pid 129057] [client XXXXXXX:20101] [client XXXXXX] ModSecurity: Rule 7f26def146a0 [id "-"][file "/etc/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "433"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "DOMAIN.COM"] [uri "/mod/assign/view.php"] [unique_id "XusPM87nvNAwDeCAa568uQAAABo"], referer: https:// DOMAIN.COM/mod/assign/view.php?id=37801 >> >> >> >> I have checked the documents and some stated to set >> SecPcreMatchLimit 500000 >> SecPcreMatchLimitRecursion 500000 >> >> >> In /etc/modsecurity/modsecurity.conf but I am not sure about that. I don't know if a high or low value is recommended. >> >> >> Regards, >> Mahmood > > >> _______________________________________________ >> mod-security-users mailing list >> mod...@li... >> https://lists.sourceforge.net/lists/listinfo/mod-security-users >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >> http://www.modsecurity.org/projects/commercial/rules/ >> http://www.modsecurity.org/projects/commercial/support/ > > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |