[Modsecurity] SecRequestBodyInMemoryLimit does not respond on changes and diff to find a rule based on regexp

[Michael Shinn]

Are you using the gotroot rules, or the breach core rules?

On Tue, 2007-08-14 at 16:01 +0200, Lezgin Bakircioglu wrote:
> I have difficulties to locate the rule that generates this 
> false-positive (no "id" and did not get any hits by searching rule file 
> for the pattern match) for my php application:
> [13/Aug/2007:20:45:58 +0200] 
> [www.xxx.xxx/sid#691d20][rid#8f25f8][/xxxxxx.php][2] Warning. Pattern 
> match "\\%(?!$|\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:xxxx.
> 
> 
> Another wierd problem i have is this false-positive that i get when i 
> upload one specific file.
> [Fri Aug 10 21:56:32 2007] [error] [client 127.0.0.1] ModSecurity: 
> Request body is larger than the configured limit (134217728). [hostname 
> "www.xxxx.xxx"] [uri "/xxxxxx.php"] [unique_id "xY87X1hQBsUAACf7hcwAAAAA"]
> 
> I have locate the problem to the variable "SecRequestBodyInMemoryLimit" 
> that was set to 131072 (134217728/1024) but when i raise the value 
> nothing happends (restarted apache2), even the same error with the same 
> number with in (). Anybody that have had the same problem?
> 
> I am using Mod security 2.1.1, apache 2 on Debian etch and core rules 
> from mod security. Any help to get? I tried to solv this for 2 days now 
> and i cant do anything more then ask for help because I'm out of ideas 
> (or i may be blind)..
> 
-- 
Michael T. Shinn                                    KeyID:0xDAE2EC86
Key Fingerprint:  1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
  
Got Root?  http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls:  http://troubleshootingfirewalls.com