Re: [mod-security-users] question about PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
From: Andrew H. <and...@lo...> - 2021-02-17 14:59:15
|
Hi Ed, > This is not a rule violation, so where would I find a specification for the error it gets. I believe that if a PCRE match limit is hit then the flag MSC_PCRE_LIMITS_EXCEEDED is set. A rule would be required to look for the presence of that flag and take appropriate action if it is set. The ModSecurity default configuration (modsecurity.conf-recommended, https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) contains the following rule: # Some internal errors will set flags in TX and we will need to look for these. # All of these are prefixed with "MSC_". The following flags currently exist: # # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. # SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" On a ModSecurity deployment using that default rule, a request that hits a PCRE match limit would be denied. I suppose a "status:" action could be added to specify which response status code to use, as you mentioned. I hope this helps answer your question. Thanks, Andrew -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 |