I played around some more with it and was able to get it to the point where it was no longer giving me GUID_0.00 errors. I weeded out all rules on that XML carrying field to avoid the PCRE limit problem (as well as obvious XSS rules). And now everything is working, and I'm able to keep my recursion limits to 1000. In this case it's okay, I believe, because the XML field is only viewable by admins. So the problem wasn't really solved, but I can proceed.
-----Original Message----- From: Christian Folini [mailto:christian.fol...@netnea.com] Sent: Wednesday, April 27, 2016 11:47 PM To: Colin MacAllister <cmacallis...@probono.net> Cc: OWASP List <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] Execution error - PCRE limits exceeded (-8) Hi Colin, Yes, that was when the move from sourceforge to github was done. When I asked Ryan for the old history files, I never got a reply. Ahoj, Christian On Wed, Apr 27, 2016 at 07:32:08PM +0000, Colin MacAllister wrote: > >From the Changelog it looks like this kind of work was done for version > >2.2.4. However, I don’t see that tag in Git – did this use to be in > >SourceForge or someplace? > > Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for > Windows 10 > > From: Chaim Sanders<mailto:csand...@trustwave.com> > Sent: Wednesday, April 27, 2016 2:14 PM > To: Colin MacAllister<mailto:cmacallis...@probono.net>; OWASP > List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: RE: [Owasp-modsecurity-core-rule-set] Execution error - PCRE > limits exceeded (-8) > > That isn’t a bad idea – Do you have a link to the old ticket/work? > Additionally, we should very much consider this maybe for 3.1? > > Chaim Sanders > Security Researcher > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com<http://www.trustwave.com/> > > From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On > Behalf Of Colin MacAllister > Sent: Wednesday, April 27, 2016 12:49 PM > To: OWASP List <owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: Re: [Owasp-modsecurity-core-rule-set] Execution error - PCRE > limits exceeded (-8) > > It looks like at one point in the past the regular expressions in the ruleset > were edited to reduce their greed, which resulted in fewer recursive passes > over the input. Might something like this be needed here, given recently > added rules? > > Sent from > Mail<http://scanmail.trustwave.com/?c=4062&d=k_qg14s7bHUZdVlLt3BdEb2Rv > mdZQNJ64vk1i3wVAA&s=5&u=https%3a%2f%2fgo%2emicrosoft%2ecom%2ffwlink%2f > %3fLinkId%3d550986> for Windows 10 > > From: Colin MacAllister<mailto:cmacallis...@probono.net> > Sent: Wednesday, April 27, 2016 12:43 PM > To: OWASP List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: Execution error - PCRE limits exceeded (-8) > > I’ve found references to this via Google searches, and the accepted > answer seems to be to increase the PCRE limits to 150000. This seems > unwise, since the limits must be there for a reason. Still, I tried > it, but it didn’t help. I’m receiving 19 errors of this type, all > either concerning XSS or SQL injection, for one URI. The URI in > question is in this form: > /base.cfm?404;/admin/framework.com.page/area.27D92FDF-4048-6285-EDC3-7 > 8593415F962 (which has been heavily edited so as to not give away the > farm.) > > Sent from > Mail<http://scanmail.trustwave.com/?c=4062&d=k_qg14s7bHUZdVlLt3BdEb2Rv > mdZQNJ64vk1i3wVAA&s=5&u=https%3a%2f%2fgo%2emicrosoft%2ecom%2ffwlink%2f > %3fLinkId%3d550986> for Windows 10 > > > ________________________________ > > This transmission may contain information that is privileged, confidential, > and/or exempt from disclosure under applicable law. If you are not the > intended recipient, you are hereby notified that any disclosure, copying, > distribution, or use of the information contained herein (including any > reliance thereon) is strictly prohibited. If you received this transmission > in error, please immediately contact the sender and destroy the material in > its entirety, whether in electronic or hard copy format. > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-s > et -- mailto:christian.fol...@netnea.com http://www.christian-folini.ch twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
