Came through just fine. Thank you very much.

Christian

On Fri, Apr 29, 2016 at 06:53:58PM +0000, Colin MacAllister wrote:
> I cleaned 'em up a little so as not to give away the farm.
> 
> Testing to see if these text conf files come through the listserv as 
> attachments.
> 
> -----Original Message-----
> From: Christian Folini [mailto:christian.fol...@netnea.com] 
> Sent: Friday, April 29, 2016 2:28 PM
> To: Colin MacAllister <cmacallis...@probono.net>
> Cc: Christian Folini <christian.fol...@netnea.com>; OWASP List 
> <owasp-modsecurity-core-rule-set@lists.owasp.org>
> Subject: Re: [Owasp-modsecurity-core-rule-set] Execution error - PCRE limits 
> exceeded (-8)
> 
> Colin,
> 
> Would you mind sharing your complete ModSec configuration and ruleset with 
> us? Together with some payloads. This could be very interesting for testing 
> purposes. And debugging that annoying limit problem.
> 
> Ahoj,
> 
> Christian
> 
> On Fri, Apr 29, 2016 at 04:13:38PM +0000, Colin MacAllister wrote:
> > I played around some more with it and was able to get it to the point where 
> > it was no longer giving me GUID_0.00 errors. I weeded out all rules on that 
> > XML carrying field to avoid the PCRE limit problem (as well as obvious XSS 
> > rules). And now everything is working, and I'm able to keep my recursion 
> > limits to 1000. In this case it's okay, I believe, because the XML field is 
> > only viewable by admins. So the problem wasn't really solved, but I can 
> > proceed.
> > 
> > -----Original Message-----
> > From: Christian Folini [mailto:christian.fol...@netnea.com]
> > Sent: Wednesday, April 27, 2016 11:47 PM
> > To: Colin MacAllister <cmacallis...@probono.net>
> > Cc: OWASP List <owasp-modsecurity-core-rule-set@lists.owasp.org>
> > Subject: Re: [Owasp-modsecurity-core-rule-set] Execution error - PCRE 
> > limits exceeded (-8)
> > 
> > Hi Colin,
> > 
> > Yes, that was when the move from sourceforge to github was done. When I 
> > asked Ryan for the old history files, I never got a reply.
> > 
> > Ahoj,
> > 
> > Christian
> > 
> > On Wed, Apr 27, 2016 at 07:32:08PM +0000, Colin MacAllister wrote:
> > > >From the Changelog it looks like this kind of work was done for version 
> > > >2.2.4. However, I don’t see that tag in Git – did this use to be in 
> > > >SourceForge or someplace?
> > > 
> > > Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for 
> > > Windows 10
> > > 
> > > From: Chaim Sanders<mailto:csand...@trustwave.com>
> > > Sent: Wednesday, April 27, 2016 2:14 PM
> > > To: Colin MacAllister<mailto:cmacallis...@probono.net>; OWASP 
> > > List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
> > > Subject: RE: [Owasp-modsecurity-core-rule-set] Execution error - 
> > > PCRE limits exceeded (-8)
> > > 
> > > That isn’t a bad idea – Do you have a link to the old ticket/work? 
> > > Additionally, we should very much consider this maybe for 3.1?
> > > 
> > > Chaim Sanders
> > > Security Researcher
> > > Trustwave | SMART SECURITY ON DEMAND 
> > > www.trustwave.com<http://www.trustwave.com/>
> > > 
> > > From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org
> > > [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On 
> > > Behalf Of Colin MacAllister
> > > Sent: Wednesday, April 27, 2016 12:49 PM
> > > To: OWASP List <owasp-modsecurity-core-rule-set@lists.owasp.org>
> > > Subject: Re: [Owasp-modsecurity-core-rule-set] Execution error - 
> > > PCRE limits exceeded (-8)
> > > 
> > > It looks like at one point in the past the regular expressions in the 
> > > ruleset were edited to reduce their greed, which resulted in fewer 
> > > recursive passes over the input. Might something like this be needed 
> > > here, given recently added rules?
> > > 
> > > Sent from
> > > Mail<http://scanmail.trustwave.com/?c=4062&d=k_qg14s7bHUZdVlLt3BdEb2
> > > Rv 
> > > mdZQNJ64vk1i3wVAA&s=5&u=https%3a%2f%2fgo%2emicrosoft%2ecom%2ffwlink%
> > > 2f
> > > %3fLinkId%3d550986> for Windows 10
> > > 
> > > From: Colin MacAllister<mailto:cmacallis...@probono.net>
> > > Sent: Wednesday, April 27, 2016 12:43 PM
> > > To: OWASP 
> > > List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>
> > > Subject: Execution error - PCRE limits exceeded (-8)
> > > 
> > > I’ve found references to this via Google searches, and the accepted 
> > > answer seems to be to increase the PCRE limits to 150000. This seems 
> > > unwise, since the limits must be there for a reason. Still, I tried 
> > > it, but it didn’t help. I’m receiving 19 errors of this type, all 
> > > either concerning XSS or SQL injection, for one URI. The URI in 
> > > question is in this form:
> > > /base.cfm?404;/admin/framework.com.page/area.27D92FDF-4048-6285-EDC3
> > > -7
> > > 8593415F962 (which has been heavily edited so as to not give away 
> > > the
> > > farm.)
> > > 
> > > Sent from
> > > Mail<http://scanmail.trustwave.com/?c=4062&d=k_qg14s7bHUZdVlLt3BdEb2
> > > Rv 
> > > mdZQNJ64vk1i3wVAA&s=5&u=https%3a%2f%2fgo%2emicrosoft%2ecom%2ffwlink%
> > > 2f
> > > %3fLinkId%3d550986> for Windows 10
> > > 
> > > 
> > > ________________________________
> > > 
> > > This transmission may contain information that is privileged, 
> > > confidential, and/or exempt from disclosure under applicable law. If you 
> > > are not the intended recipient, you are hereby notified that any 
> > > disclosure, copying, distribution, or use of the information contained 
> > > herein (including any reliance thereon) is strictly prohibited. If you 
> > > received this transmission in error, please immediately contact the 
> > > sender and destroy the material in its entirety, whether in electronic or 
> > > hard copy format.
> > 
> > > _______________________________________________
> > > Owasp-modsecurity-core-rule-set mailing list 
> > > Owasp-modsecurity-core-rule-set@lists.owasp.org
> > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule
> > > -s
> > > et
> > 
> > 
> > --
> > mailto:christian.fol...@netnea.com
> > http://www.christian-folini.ch
> > twitter: @ChrFolini
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list 
> > Owasp-modsecurity-core-rule-set@lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set





_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to