Re: [mod-security-users] PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ne...> - 2020-06-19 13:48:14
|
Mahmood, I've never done more than 1M on a production server. But it's not like the server breaks if you go beyond that value. It's just becominging more risky in terms of Denial of Service. So yes, you can do that, but I would avoid going beyond 1M. Cheers, Christian On Fri, Jun 19, 2020 at 10:33:46AM +0000, Mahmood Naderan via mod-security-users wrote: > Thanks for the replies. Let me ask my question in another way. > What happens if I set those parameters to 10 or 1000000000? > Which one is more aggressive or conservative? Which one put pressure on CPU for false positives? > > Regards, > Mahmood > > On Friday, June 19, 2020, 2:28:02 PM GMT+4:30, Jamie Burchell <ja...@ib...> wrote: > > I'm hitting this too and have been gradually increasing from the default. Is this somewhat dependent on CPU speed? > > Sent from my iPhone > > > On 19 Jun 2020, at 08:12, Christian Folini <chr...@ne...> wrote: > > > > Mahmood, > > > > This is a standard problem when using ModSec due to the PCRE library used. > > > > 500K is near the highest sane value in production. Go higher and you make > > a DoS attack more and more likely. > > > > If 500K does not solve it, then I would suggest to disable this rule > > for this URI. It is possible that other response-rules show the same > > symptoms. In that situation, disabling ResponseBody access for the > > given URI could be a valid alternative. > > > > One word of warning: I recommend to disable rules. This may lead to > > insecurity in this situation. One would need to assess the situation > > if it is worth it. > > > > Best, > > > > Christian > > > > > > > >> On Fri, Jun 19, 2020 at 06:16:25AM +0000, Mahmood Naderan via mod-security-users wrote: > >> Hi > >> I see some entries like > >> > >> [Thu Jun 18 11:22:36.512669 2020] [:error] [pid 129057] [client XXXXXXX:20101] [client XXXXXX] ModSecurity: Rule 7f26def146a0 [id "-"][file "/etc/modsecurity/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "433"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "DOMAIN.COM"] [uri "/mod/assign/view.php"] [unique_id "XusPM87nvNAwDeCAa568uQAAABo"], referer: https:// DOMAIN.COM/mod/assign/view.php?id=37801 > >> > >> > >> > >> I have checked the documents and some stated to set > >> SecPcreMatchLimit 500000 > >> SecPcreMatchLimitRecursion 500000 > >> > >> > >> In /etc/modsecurity/modsecurity.conf but I am not sure about that. I don't know if a high or low value is recommended. > >> > >> > >> Regards, > >> Mahmood > > > > > >> _______________________________________________ > >> mod-security-users mailing list > >> mod...@li... > >> https://lists.sourceforge.net/lists/listinfo/mod-security-users > >> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > >> http://www.modsecurity.org/projects/commercial/rules/ > >> http://www.modsecurity.org/projects/commercial/support/ > > > > > > > > _______________________________________________ > > mod-security-users mailing list > > mod...@li... > > https://lists.sourceforge.net/lists/listinfo/mod-security-users > > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > > http://www.modsecurity.org/projects/commercial/rules/ > > http://www.modsecurity.org/projects/commercial/support/ > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |