Disabling rules If that doesn't resolve it then you can also disable the rule. This can lead to DoS. Obviously the more of these rules you turn off, the less you may be protected, but that doesn't mean you shouldn't turn off rules where appropriate. After a bunch of googling the only solutions seem to be a Add the following in your httpd. These rules can be disabled on a rule by rule basis.
It's a cluster of apache nodes which we can scale up almost infinitely high so resource usage is not a prime concern right now. Sign up for a free GitHub account to open an issue and contact its maintainers and the community. Provide details and share your research! They are designed to reduce the risk using known signatures they can check with rules. I'm about to do that now. I messed about with my form and I eventually found that if I reduced the amount of data I was posting the form submitted fine In particular I reduce the amount of text within a textarea. What could be the cause of this? To learn more, see our. .
It's about the only config settings I've changed after updating ModSec binaries. . Date: Fri, 12 Apr 2013 01:59:55 +0200 Package: modsecurity-crs Version: 2. The following rule groups and rules are available when using Application Gateway with web application firewall. To learn more, see our. Making the pattern repeat 100 times yields 22.
Please reopen issue if you have 500K as your limit and still get the error. For reference, here is the original Feature Request thread: Click to expand. Have a question about this project? Anyone have any other ideas? Versions of packages modsecurity-crs suggests: pn lua -- no debconf information Date: Fri, 12 Jul 2013 12:59:48 +0200 Hi, I just uploaded modsecurity-crs 2. . Please do post back with your learnings if you find a solution.
I've recently enabled them and see similar matches in our logs. Part of installing ModSecurity is tuning and tweaking the ruleset: including turning off rules were appropriate. So in conclusion: solutions a and b are not working, and I prefer greatly not to do c. Try disabling any custom rulesets and then, one-at-a-time, enable only those rules that you require. For patterns that are not anchored, the count restarts from zero for each position in the subject string. It is possible to increase these such that these will not occur. .
The current version can be obtained from. It seems rather that there's something wrong with the amount of data I am sending through. What security holes am I allowing through by setting these so high? I know I can fix this by setting rules such as: SecPcreMatchLimit 150000 SecPcreMatchLimitRecursion 150000 But, what are these rules actually doing? I'm a first timer to modsecurity, it's not exactly noob friendly! Watching this closely as I have exactly the same issue and your config looks similar to mine. . The recursion depth is a smaller number than the total number of calls, because not all calls to match are recursive. Does anyone have any ideas on what is causing this issue and how to sort it? If you are using that software, then that might explain this. Only advice I have so far is to remove all the core rules and re-introduce them 1 by 1 to start narrowing the problem down.
Suggested fix other than disabling the rules or raising the pcre limit to some absurdly high value? Server: Apache --e89aa861-Z-- Increasing SecPcreMatchLimit, SecPcreMatchLimitRecursion, pcre. I already do remove some rules, it's just that I thought I should ask about a general advice here first. I have also set the pcre limits to 150000000 and 100000000000 and more, but to no available. What steps do you recommend i do now? If both loads simultaneously only last option will take effect. Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
I feel it's wrong for mod-security to then flag the request as malicious just because it blew up! I raised the two settings you mentioned from the default to 500,000 from the default of 1,500 as advised in this post, and it solved my problem. Either try setting the numbers very high 100k-1M to start , or disable comment the lines out and restart Apache. You can got to 500K usually without harming your set. This article contains the current rules and rulesets offered. Copyright © 1999 Darren O.
Could you check if this bug is still present with that version? I know there is documentation, but the documentation doesn't actually tell me what is going on, it simply tells me how to work with the directives. Sending of special characters in cookies are rarely security risks in themselves, but may be attempts to circumvent other rules e. Common attack string for mysql oracle and others. Risk of disabling rules As to the risk of disabling the rule, well this rule protects against cookies with multiple special characters. The logs seem to point at some kind rules to do with regular expression limits, but since changing my post receiving script to just print out the word test I'm not doing anything with them Though I have tried upping the limits through SecPcreMatchLimit and SecPcreMatchLimitRecursion. For example, using a simple 'aaaaaaaaaaaaaaaaaab' style pattern in a parameter payload repeated 50 times makes a request go from 0. I run with 500K in prod usually: SecPcreMatchLimit 500000 SecPcreMatchLimitRecursion 500000 Closing this.
Message: Access denied with code 403 phase 2. The latest rule set is here: The only difference I can see between 2. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors. Even submitting to this simple page was kicking up a 403 error. I have a classic ModSecurity configuration apt-get.