Thread: [mod-security-users] question about PCRE limits exceeded
Brought to you by:
victorhora,
zimmerletw
From: Ed G. <Ed....@mr...> - 2021-02-17 13:32:11
|
So I've read about PCRE limits exceeded and understand what causes it, but my question is a followon... If my system is not in Detection Only mode, what sort of result should I get for one of these? IN rule violations, each rule has it's own status: specification. This is not a rule violation, so where would I find a specification for the error it gets. I have a few sample violations that show a 200 return. (See Below) So I'm not sure if modsec is actually interrupting the submission or if they are succeeding with less (or no) inspection. In the sample below, it also references a rule 218601 which ruby on rails related, but that's something I should ask about the ruleset, I guess. (this is not a ruby site.) Thanks, Ed --bec61605-F-- HTTP/1.1 200 OK Cache-Control: no-cache, private ... X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block Strict-Transport-Security: max-age=63072000; includeSubDomains; preload X-Frame-Options: SAMEORIGIN WebNode: ip-172-31-75-176 Keep-Alive: timeout=4, max=50 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: application/json --bec61605-H-- Message: Rule 55af32f5a1d0 [id "218601"][file "/etc/httpd/cwafrules/25_ROR_RORGen.conf"][line "17"] - Execution error - PCRE limits exceeded (-8): (null). Message: Rule 55af32f63be0 [id "218602"][file "/etc/httpd/cwafrules/25_ROR_RORGen.conf"][line "20"] - Execution error - PCRE limits exceeded (-8): (null). Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xx.xx.xx.xx] ModSecurity: Rule 55af32f5a1d0 [id "218601"][file "/etc/httpd/cwafrules/25_ROR_RORGen.conf"][line "17"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxx.xxxxx.com"] [uri "/application-collection"] [unique_id "YCQ6RSCbkGR@Nn7yBu3EpQAAAA0"] Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client xx.xx.xx.xx] ModSecurity: Rule 55af32f63be0 [id "218602"][file "/etc/httpd/cwafrules/25_ROR_RORGen.conf"][line "20"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxx.xxxxx.com"] [uri "/application-collection"] [unique_id "YCQ6RSCbkGR@Nn7yBu3EpQAAAA0"] Apache-Handler: proxy:unix:/var/run/php5-fpm.sock|fcgi://localhost Stopwatch: 1612986949727839 337602 (- - -) Stopwatch2: 1612986949727839 337602; combined=10395, p1=502, p2=9645, p3=0, p4=0, p5=188, sr=82, sw=60, l=0, gc=0 Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); CWAF_Apache. Server: Apache Engine-Mode: "ENABLED" This electronic message transmission contains information from MRI Software LLC which is (i) confidential; or (ii) otherwise the exclusive property of the intended recipient or MRI Software LLC (neither of which is waived nor lost by mistaken delivery). This information is intended for the use of the individual or entity that is the intended recipient. If you are not the designated recipient, please be aware that any dissemination, distribution or copying of this communication is strictly prohibited. Please notify us if you have received this message in error, and remove both emails from your system. Any unauthorized use is expressly prohibited. Thank you for your assistance. |
From: Andrew H. <and...@lo...> - 2021-02-17 14:59:15
|
Hi Ed, > This is not a rule violation, so where would I find a specification for the error it gets. I believe that if a PCRE match limit is hit then the flag MSC_PCRE_LIMITS_EXCEEDED is set. A rule would be required to look for the presence of that flag and take appropriate action if it is set. The ModSecurity default configuration (modsecurity.conf-recommended, https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) contains the following rule: # Some internal errors will set flags in TX and we will need to look for these. # All of these are prefixed with "MSC_". The following flags currently exist: # # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. # SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" On a ModSecurity deployment using that default rule, a request that hits a PCRE match limit would be denied. I suppose a "status:" action could be added to specify which response status code to use, as you mentioned. I hope this helps answer your question. Thanks, Andrew -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 |
From: Ed G. <Ed....@mr...> - 2021-02-17 16:38:32
|
Thanks for the answer. The web is full of explanations of how to cure the error, but I could not find the info you just provided. The submission that is failing is a json upload with two large base64 encoded text strings, so I'm not surprised it's hitting the limit. Ed -----Original Message----- From: Andrew Howe <and...@lo...> Sent: Wednesday, February 17, 2021 9:35 AM To: mod...@li... Subject: Re: [mod-security-users] question about PCRE limits exceeded Hi Ed, > This is not a rule violation, so where would I find a specification for the error it gets. I believe that if a PCRE match limit is hit then the flag MSC_PCRE_LIMITS_EXCEEDED is set. A rule would be required to look for the presence of that flag and take appropriate action if it is set. The ModSecurity default configuration (modsecurity.conf-recommended, https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) contains the following rule: # Some internal errors will set flags in TX and we will need to look for these. # All of these are prefixed with "MSC_". The following flags currently exist: # # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. # SecRule TX:/^MSC_/ "!@streq 0" \ "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal error flagged: %{MATCHED_VAR_NAME}'" On a ModSecurity deployment using that default rule, a request that hits a PCRE match limit would be denied. I suppose a "status:" action could be added to specify which response status code to use, as you mentioned. I hope this helps answer your question. Thanks, Andrew -- Andrew Howe Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ This electronic message transmission contains information from MRI Software LLC which is (i) confidential; or (ii) otherwise the exclusive property of the intended recipient or MRI Software LLC (neither of which is waived nor lost by mistaken delivery). This information is intended for the use of the individual or entity that is the intended recipient. If you are not the designated recipient, please be aware that any dissemination, distribution or copying of this communication is strictly prohibited. Please notify us if you have received this message in error, and remove both emails from your system. Any unauthorized use is expressly prohibited. Thank you for your assistance. |
From: Christian F. <chr...@ne...> - 2021-02-17 22:11:01
|
Andrew, This is excellent. I never really thought this through to the end and now it clicked. The point is this: Every installation I have seen hitherto includes the recommended rules before the actual rule set. Given most rules run in phase 2, rule 200005 will run before the PCRE error hits. This means the moment rule 200005 checks for PCRE limit errors, said errors have not occurred yet and when they pop up, there is no rule taking care of the situation anymore and PCRE limit errors will be ignored. Probably one of the reasons you rarely see 200005 trigger. It might be worthwhile to shift rule 200005 to phase 3 or move it after the other rules towards the end of phase 2. Best, Christian On Wed, Feb 17, 2021 at 02:34:53PM +0000, Andrew Howe wrote: > Hi Ed, > > > This is not a rule violation, so where would I find a specification for the error it gets. > > I believe that if a PCRE match limit is hit then the flag > MSC_PCRE_LIMITS_EXCEEDED is set. > > A rule would be required to look for the presence of that flag and > take appropriate action if it is set. > > The ModSecurity default configuration (modsecurity.conf-recommended, > https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) > contains the following rule: > > > # Some internal errors will set flags in TX and we will need to > look for these. > # All of these are prefixed with "MSC_". The following flags > currently exist: > # > # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. > # > SecRule TX:/^MSC_/ "!@streq 0" \ > "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal > error flagged: %{MATCHED_VAR_NAME}'" > > > On a ModSecurity deployment using that default rule, a request that > hits a PCRE match limit would be denied. I suppose a "status:" action > could be added to specify which response status code to use, as you > mentioned. > > I hope this helps aanswer your question. > > Thanks, > Andrew > > -- > > Andrew Howe > Loadbalancer.org Ltd. > www.loadbalancer.org > +1 888 867 9504 / +44 (0)330 380 1064 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurinty.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
From: Davy G. <da...@ya...> - 2021-02-18 06:16:13
|
Please unsubscribe me from the group. I no longer need the mailing list. Dikirim dari Yahoo Mail di Android Pada Kam, 18 Feb 2021 pada 5:14, Christian Folini<chr...@ne...> menulis: Andrew, This is excellent. I never really thought this through to the end and now it clicked. The point is this: Every installation I have seen hitherto includes the recommended rules before the actual rule set. Given most rules run in phase 2, rule 200005 will run before the PCRE error hits. This means the moment rule 200005 checks for PCRE limit errors, said errors have not occurred yet and when they pop up, there is no rule taking care of the situation anymore and PCRE limit errors will be ignored. Probably one of the reasons you rarely see 200005 trigger. It might be worthwhile to shift rule 200005 to phase 3 or move it after the other rules towards the end of phase 2. Best, Christian On Wed, Feb 17, 2021 at 02:34:53PM +0000, Andrew Howe wrote: > Hi Ed, > > > This is not a rule violation, so where would I find a specification for the error it gets. > > I believe that if a PCRE match limit is hit then the flag > MSC_PCRE_LIMITS_EXCEEDED is set. > > A rule would be required to look for the presence of that flag and > take appropriate action if it is set. > > The ModSecurity default configuration (modsecurity.conf-recommended, > https://github.com/SpiderLabs/ModSecurity/blob/v3/master/modsecurity.conf-recommended) > contains the following rule: > > > # Some internal errors will set flags in TX and we will need to > look for these. > # All of these are prefixed with "MSC_". The following flags > currently exist: > # > # MSC_PCRE_LIMITS_EXCEEDED: PCRE match limits were exceeded. > # > SecRule TX:/^MSC_/ "!@streq 0" \ > "id:'200005',phase:2,t:none,deny,msg:'ModSecurity internal > error flagged: %{MATCHED_VAR_NAME}'" > > > On a ModSecurity deployment using that default rule, a request that > hits a PCRE match limit would be denied. I suppose a "status:" action > could be added to specify which response status code to use, as you > mentioned. > > I hope this helps aanswer your question. > > Thanks, > Andrew > > -- > > Andrew Howe > Loadbalancer.org Ltd. > www.loadbalancer.org > +1 888 867 9504 / +44 (0)330 380 1064 > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurinty.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ _______________________________________________ mod-security-users mailing list mod...@li... https://lists.sourceforge.net/lists/listinfo/mod-security-users Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: http://www.modsecurity.org/projects/commercial/rules/ http://www.modsecurity.org/projects/commercial/support/ |