I cleaned 'em up a little so as not to give away the farm. Testing to see if these text conf files come through the listserv as attachments.
-----Original Message----- From: Christian Folini [mailto:christian.fol...@netnea.com] Sent: Friday, April 29, 2016 2:28 PM To: Colin MacAllister <cmacallis...@probono.net> Cc: Christian Folini <christian.fol...@netnea.com>; OWASP List <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] Execution error - PCRE limits exceeded (-8) Colin, Would you mind sharing your complete ModSec configuration and ruleset with us? Together with some payloads. This could be very interesting for testing purposes. And debugging that annoying limit problem. Ahoj, Christian On Fri, Apr 29, 2016 at 04:13:38PM +0000, Colin MacAllister wrote: > I played around some more with it and was able to get it to the point where > it was no longer giving me GUID_0.00 errors. I weeded out all rules on that > XML carrying field to avoid the PCRE limit problem (as well as obvious XSS > rules). And now everything is working, and I'm able to keep my recursion > limits to 1000. In this case it's okay, I believe, because the XML field is > only viewable by admins. So the problem wasn't really solved, but I can > proceed. > > -----Original Message----- > From: Christian Folini [mailto:christian.fol...@netnea.com] > Sent: Wednesday, April 27, 2016 11:47 PM > To: Colin MacAllister <cmacallis...@probono.net> > Cc: OWASP List <owasp-modsecurity-core-rule-set@lists.owasp.org> > Subject: Re: [Owasp-modsecurity-core-rule-set] Execution error - PCRE > limits exceeded (-8) > > Hi Colin, > > Yes, that was when the move from sourceforge to github was done. When I asked > Ryan for the old history files, I never got a reply. > > Ahoj, > > Christian > > On Wed, Apr 27, 2016 at 07:32:08PM +0000, Colin MacAllister wrote: > > >From the Changelog it looks like this kind of work was done for version > > >2.2.4. However, I don’t see that tag in Git – did this use to be in > > >SourceForge or someplace? > > > > Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for > > Windows 10 > > > > From: Chaim Sanders<mailto:csand...@trustwave.com> > > Sent: Wednesday, April 27, 2016 2:14 PM > > To: Colin MacAllister<mailto:cmacallis...@probono.net>; OWASP > > List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> > > Subject: RE: [Owasp-modsecurity-core-rule-set] Execution error - > > PCRE limits exceeded (-8) > > > > That isn’t a bad idea – Do you have a link to the old ticket/work? > > Additionally, we should very much consider this maybe for 3.1? > > > > Chaim Sanders > > Security Researcher > > Trustwave | SMART SECURITY ON DEMAND > > www.trustwave.com<http://www.trustwave.com/> > > > > From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org > > [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On > > Behalf Of Colin MacAllister > > Sent: Wednesday, April 27, 2016 12:49 PM > > To: OWASP List <owasp-modsecurity-core-rule-set@lists.owasp.org> > > Subject: Re: [Owasp-modsecurity-core-rule-set] Execution error - > > PCRE limits exceeded (-8) > > > > It looks like at one point in the past the regular expressions in the > > ruleset were edited to reduce their greed, which resulted in fewer > > recursive passes over the input. Might something like this be needed here, > > given recently added rules? > > > > Sent from > > Mail<http://scanmail.trustwave.com/?c=4062&d=k_qg14s7bHUZdVlLt3BdEb2 > > Rv > > mdZQNJ64vk1i3wVAA&s=5&u=https%3a%2f%2fgo%2emicrosoft%2ecom%2ffwlink% > > 2f > > %3fLinkId%3d550986> for Windows 10 > > > > From: Colin MacAllister<mailto:cmacallis...@probono.net> > > Sent: Wednesday, April 27, 2016 12:43 PM > > To: OWASP > > List<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> > > Subject: Execution error - PCRE limits exceeded (-8) > > > > I’ve found references to this via Google searches, and the accepted > > answer seems to be to increase the PCRE limits to 150000. This seems > > unwise, since the limits must be there for a reason. Still, I tried > > it, but it didn’t help. I’m receiving 19 errors of this type, all > > either concerning XSS or SQL injection, for one URI. The URI in > > question is in this form: > > /base.cfm?404;/admin/framework.com.page/area.27D92FDF-4048-6285-EDC3 > > -7 > > 8593415F962 (which has been heavily edited so as to not give away > > the > > farm.) > > > > Sent from > > Mail<http://scanmail.trustwave.com/?c=4062&d=k_qg14s7bHUZdVlLt3BdEb2 > > Rv > > mdZQNJ64vk1i3wVAA&s=5&u=https%3a%2f%2fgo%2emicrosoft%2ecom%2ffwlink% > > 2f > > %3fLinkId%3d550986> for Windows 10 > > > > > > ________________________________ > > > > This transmission may contain information that is privileged, confidential, > > and/or exempt from disclosure under applicable law. If you are not the > > intended recipient, you are hereby notified that any disclosure, copying, > > distribution, or use of the information contained herein (including any > > reliance thereon) is strictly prohibited. If you received this transmission > > in error, please immediately contact the sender and destroy the material in > > its entirety, whether in electronic or hard copy format. > > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule > > -s > > et > > > -- > mailto:christian.fol...@netnea.com > http://www.christian-folini.ch > twitter: @ChrFolini > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
whitelist.conf
Description: whitelist.conf
whitelist_pre.conf
Description: whitelist_pre.conf
modsecurity_iis.conf
Description: modsecurity_iis.conf
modsecurity.conf
Description: modsecurity.conf
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
