Ping a Specific Port

Question

user101130

Asked: 2012-07-17 11:36:54 +0800 CST2012-07-17 11:36:54 +0800 CST 2012-07-17 11:36:54 +0800 CST

What are PCRE limits?

772

In ModSecurity there are PCRE limits exceeded errors.

I know I can fix this by setting rules such as:

SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

But, what are these rules actually doing? What does the PCRE limit recursion set to 150,000 mean? What security holes am I allowing through by setting these so high? What does the recursion and limit mean?

I know there is documentation, but the documentation doesn't actually tell me what is going on, it simply tells me how to work with the directives.

2 Answers

Voted

DerfK · Answer 1 · 2012-07-17T12:11:11+08:00

These appear to be settings internal to the PCRE engine in order to limit the maximum amount of memory/time spent on trying to match some text to a pattern. The pcreapi manpage does little to explain it in layman's terms:

The match_limit field provides a means of preventing PCRE from using up a vast amount of resources when running patterns that are not going to match, but which have a very large number of possibilities in their search trees. The classic example is the use of nested unlimited repeats.

Internally, PCRE uses a function called match() which it calls repeatedly (sometimes recursively). The limit set by match_limit is imposed on the number of times this function is called during a match, which has the effect of limiting the amount of backtracking that can take place. For patterns that are not anchored, the count restarts from zero for each position in the subject string.

The default value for the limit can be set when PCRE is built; the default default is 10 million, which handles all but the most extreme cases. You can override the default by suppling pcre_exec() with a pcre_extra block in which match_limit is set, and PCRE_EXTRA_MATCH_LIMIT is set in the flags field. If the limit is exceeded, pcre_exec() returns PCRE_ERROR_MATCHLIMIT.

The match_limit_recursion field is similar to match_limit, but instead of limiting the total number of times that match() is called, it limits the depth of recursion. The recursion depth is a smaller number than the total number of calls, because not all calls to match() are recursive. This limit is of use only if it is set smaller than match_limit.

Since the PCRE library built-in default is 10000000, my guess is that the lower setting is suggested for mod_security in order to prevent requests from being held up for a long time.

user648796 · Answer 2 · 2021-04-30T05:11:59+08:00

user648796

2021-04-30T05:11:59+08:002021-04-30T05:11:59+08:00

The values you see inside mod_security.conf are part of a RegEx DoS rule:

SecPcreMatchLimit 10000
SecPcreMatchLimitRecursion 10000
SecRule TX:/^MSC_/ "!@Streq 0"
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged:
%{MATCHED_VAR_NAME}'"

0

What are PCRE limits?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?