Re: [mod-security-users] question about PCRE limits exceeded

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Ed,

> This is not a rule violation, so where would I find a specification for the error it gets.

I believe that if a PCRE match limit is hit then the flag
MSC_PCRE_LIMITS_EXCEEDED is set.

A rule would be required to look for the presence of that flag and
take appropriate action if it is set.

The ModSecurity default configuration (modsecurity.conf-recommended,
https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended)
contains the following rule:

    # Some internal errors will set flags in TX and we will need to
look for these.
    # All of these are prefixed with "MSC_".  The following flags
currently exist:
    #
    # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded.
    #
    SecRule TX:/^MSC_/ "!@streq 0" \
            "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal
error flagged: %{MATCHED_VAR_NAME}'"

On a ModSecurity deployment using that default rule, a request that
hits a PCRE match limit would be denied. I suppose a "status:" action
could be added to specify which response status code to use, as you
mentioned.

I hope this helps answer your question.

Thanks,
Andrew

-- 

Andrew Howe
Loadbalancer.org Ltd.
www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064