Re: [mod-security-users] PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
From: Ervin H. <ai...@gm...> - 2020-06-19 12:49:02
|
Hi all, > > On Friday, June 19, 2020, 2:28:02 PM GMT+4:30, Jamie Burchell <ja...@ib...> wrote: > > I'm hitting this too and have been gradually increasing from the default. Is this somewhat dependent on CPU speed? no, in merit it doesn't depends on CPU speed (the correct answer is it doesn't related). On Fri, Jun 19, 2020 at 10:33:46AM +0000, Mahmood Naderan via mod-security-users wrote: > Thanks for the replies. Let me ask my question in another way. > What happens if I set those parameters to 10 or 1000000000? > Which one is more aggressive or conservative? Which one put pressure on CPU for false positives? I'm afraid there isn't any good answer for this question. Here is the relevant part of code of mod_security2 module, let's see how handles it these limits: https://github.com/SpiderLabs/ModSecurity/blob/12cefbd70f2aab802e1bff53c50786f3b8b89359/apache2/re_operators.c#L1088-L1111 As you can see, if one of these values are reached, the operator will returns as "No match". So, if you keep it as lower value, the rule can be bypassed (limit reached early, rule returns as not matched). If you increase the values, your CPU may be working unnecessarily - it depends how long is the input. If it's short, the recursion will be also short. If the input is long, the recursion could be very long (I think it grows exponentially with the input), but as you see, when the limit reaches, that will mean the rule not matched (which is rather false negative than FP). I think this message in your log is a "warning", and it means you have to review that regex. As Christian wrote, the best thing what you can do is disable that rule. Hope this helped. a. |