Re: [mod-security-users] question about PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
From: Ed G. <Ed....@mr...> - 2021-02-17 16:38:32
|
Thanks for the answer. The web is full of explanations of how to cure the error, but I could not find the info you just provided. The submission that is failing is a json upload with two large base64 encoded text strings, so I'm not surprised it's hitting the limit. Ed -----Original Message----- From: Andrew Howe <and...@lo...> Sent: Wednesday, February 17, 2021 9:35 AM To: mod...@li... Subject: Re: [mod-security-users] question about PCRE limits exceeded Hi Ed, > This is not a rule violation, so where would I find a specification for the error it gets. I believe that if a PCRE match limit is hit then the flag MSC_PCRE_LIMITS_EXCEEDED is set. A rule would be required to look for the presence of that flag and take appropriate action if it is set. The ModSecurity default configuration (modsecurity.conf-recommended, https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) contains the following rule: # Some internal errors will set flags in TX and we will need to look for these. # All of these are prefixed with "MSC_". The following flags currently exist: # # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. # SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" On a ModSecurity deployment using that default rule, a request that hits a PCRE match limit would be denied. I suppose a "status:" action could be added to specify which response status code to use, as you mentioned. I hope this helps answer your question. Thanks, Andrew -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ This electronic message transmission contains information from MRI Software LLC which is (i) confidential; or (ii) otherwise the exclusive property of the intended recipient or MRI Software LLC (neither of which is waived nor lost by mistaken delivery). This information is intended for the use of the individual or entity that is the intended recipient. If you are not the designated recipient, please be aware that any dissemination, distribution or copying of this communication is strictly prohibited. Please notify us if you have received this message in error, and remove both emails from your system. Any unauthorized use is expressly prohibited. Thank you for your assistance. |