That isn't a bad idea - Do you have a link to the old ticket/work? 
Additionally, we should very much consider this maybe for 3.1?

Chaim Sanders
Security Researcher
Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com<http://www.trustwave.com/>

From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org 
[mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of 
Colin MacAllister
Sent: Wednesday, April 27, 2016 12:49 PM
To: OWASP List <owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: Re: [Owasp-modsecurity-core-rule-set] Execution error - PCRE limits 
exceeded (-8)

It looks like at one point in the past the regular expressions in the ruleset 
were edited to reduce their greed, which resulted in fewer recursive passes 
over the input. Might something like this be needed here, given recently added 
rules?

Sent from 
Mail<http://scanmail.trustwave.com/?c=4062&d=k_qg14s7bHUZdVlLt3BdEb2RvmdZQNJ64vk1i3wVAA&s=5&u=https%3a%2f%2fgo%2emicrosoft%2ecom%2ffwlink%2f%3fLinkId%3d550986>
 for Windows 10

From: Colin MacAllister<mailto:cmacallis...@probono.net>
Sent: Wednesday, April 27, 2016 12:43 PM
To: OWASP List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
Subject: Execution error - PCRE limits exceeded (-8)

I've found references to this via Google searches, and the accepted answer 
seems to be to increase the PCRE limits to 150000. This seems unwise, since the 
limits must be there for a reason. Still, I tried it, but it didn't help. I'm 
receiving 19 errors of this type, all either concerning XSS or SQL injection, 
for one URI. The URI in question is in this form: 
/base.cfm?404;/admin/framework.com.page/area.27D92FDF-4048-6285-EDC3-78593415F962
 (which has been heavily edited so as to not give away the farm.)

Sent from 
Mail<http://scanmail.trustwave.com/?c=4062&d=k_qg14s7bHUZdVlLt3BdEb2RvmdZQNJ64vk1i3wVAA&s=5&u=https%3a%2f%2fgo%2emicrosoft%2ecom%2ffwlink%2f%3fLinkId%3d550986>
 for Windows 10


________________________________

This transmission may contain information that is privileged, confidential, 
and/or exempt from disclosure under applicable law. If you are not the intended 
recipient, you are hereby notified that any disclosure, copying, distribution, 
or use of the information contained herein (including any reliance thereon) is 
strictly prohibited. If you received this transmission in error, please 
immediately contact the sender and destroy the material in its entirety, 
whether in electronic or hard copy format.
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to