[mod-security-users] Balas: Re: question about PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[mod-security-users] Balas: Re: question about PCRE limits exceeded
|
From: Davy G. <da...@ya...> - 2021-02-18 06:16:13
|
Please unsubscribe me from the group. I no longer need the mailing list. Dikirim dari Yahoo Mail di Android Pada Kam, 18 Feb 2021 pada 5:14, Christian Folini<chr...@ne...> menulis: Andrew, This is excellent. I never really thought this through to the end and now it clicked. The point is this: Every installation I have seen hitherto includes the recommended rules before the actual rule set. Given most rules run in phase 2, rule 200005 will run before the PCRE error hits. This means the moment rule 200005 checks for PCRE limit errors, said errors have not occurred yet and when they pop up, there is no rule taking care of the situation anymore and PCRE limit errors will be ignored. Probably one of the reasons you rarely see 200005 trigger. It might be worthwhile to shift rule 200005 to phase 3 or move it after the other rules towards the end of phase 2. Best, Christian On Wed, Feb 17, 2021 at 02:34:53PM +0000, Andrew Howe wrote: > Hi Ed, > > > This is not a rule violation, so where would I find a specification for the error it gets. > > I believe that if a PCRE match limit is hit then the flag > MSC_PCRE_LIMITS_EXCEEDED is set. > > A rule would be required to look for the presence of that flag and > take appropriate action if it is set. > > The ModSecurity default configuration (modsecurity.conf-recommended, > https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) > contains the following rule: > > > # Some internal errors will set flags in TX and we will need to > look for these. > # All of these are prefixed with "MSC_". The following flags > currently exist: > # > # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. > # > SecRule TX:/^MSC_/ "!@streq 0" \ > "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal > error flagged: %{MATCHED_VAR_NAME}'" > > > On a ModSecurity deployment using that default rule, a request that > hits a PCRE match limit would be denied. I suppose a "status:" action > could be added to specify which response status code to use, as you > mentioned. > > I hope this helps aanswer your question. > > Thanks, > Andrew > > -- > > Andrew Howe > Loadbalancer.org Ltd. > www.loadbalancer.org > +1 888 867 9504 / +44 (0)330 380 1064 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurinty.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |
