Re: PCRE limits exceeded

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2

_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

Re: PCRE limits exceeded

I think that the issue is with the use of repetition meta-chars in the regex when it receives certain
payloads.  Rule ID – 950901 – aims to identify SQL Injection Tautologies which are things like – 1=1,
'2' = '2', "1" < "3", etc…  The current regex tries to account for the presence or absence of quote chars
however I believe it is hitting recursion limits based on the payloads.

Can you please send me an audit log example of a request that is triggering this?  I will look at improving the regex.

Thanks,
Ryan

From: Sean O'Sullivan <dits_ltd <at> hotmail.com<mailto:dits_ltd <at> hotmail.com>>
Date: Mon, 16 Jan 2012 09:26:57 -0600
To:
"mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>" <mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>>
Subject: Re: [mod-security-users] PCRE limits exceeded

Hi Breno

Thanks for the explanation.  I did the compile with the pcre options, make && make install but its still
happening.  I have a log excerpt below.  Once I put the server back inline I got hundreds of the errors, all
relating to line 58 in the sqli rules, rule 950901.  Is there something I'm missing?  Is this error
disruptive, i.e. is the session killed when the error happens?  Thanks Breno.

Message: Rule 7f70d2b9db20 [id "950901"][file
"/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"][line "58"] -
Execution error - PCRE limits exceeded (-8): (null).

Sean

________________________________
Date: Mon, 16 Jan 2012 08:38:35 -0600
Subject: Re: [mod-security-users] PCRE limits exceeded
From: breno.silva <at> gmail.com<mailto:breno.silva <at> gmail.com>
To: dits_ltd <at> hotmail.com<mailto:dits_ltd <at> hotmail.com>
CC: mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>

Hi Sean,

In modsec 2.6 we do not enable it by default.

Try to compile :  ./configure --enable-pcre-match-limit=10000 --enable-pcre-match-limit-recursion=10000

Breno

On Mon, Jan 16, 2012 at 8:21 AM, Sean O'Sullivan <dits_ltd <at> hotmail.com<mailto:dits_ltd <at> hotmail.com>> wrote:
Hi all,

Sorry to bring this topic up again, its all over google, but I upgraded modsec from 2.6 to 2.6.3 this morning
and have been getting a lot of PCRE limits exceeded errors with
modsecurity_crs_41_sql_injection_attacks.conf line 58.  These were not happening before the
upgrade.  I am using the 2.2.3 ruleset.  I created a new file which contains the SecPcreMatchLimit and
SecPcreMatchLimitRecursion settings and no matter how large I create the limits I am still see the
errors.  I have increased them from 5000 to 1500000 (just for testing) and still see the errors.  Am I missing
something else?  Thanks in advance all.

Sean

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net<mailto:mod-security-users <at> lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from
disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately
contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/