[Modsecurity] SecRequestBodyInMemoryLimit does not respond on
changes and diff to find a rule based on regexp
Michael Shinn
mike at gotroot.com
Tue Aug 14 11:53:18 EDT 2007
Are you using the gotroot rules, or the breach core rules?
On Tue, 2007-08-14 at 16:01 +0200, Lezgin Bakircioglu wrote:
> I have difficulties to locate the rule that generates this
> false-positive (no "id" and did not get any hits by searching rule file
> for the pattern match) for my php application:
> [13/Aug/2007:20:45:58 +0200]
> [www.xxx.xxx/sid#691d20][rid#8f25f8][/xxxxxx.php][2] Warning. Pattern
> match "\\%(?!$|\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:xxxx.
>
>
> Another wierd problem i have is this false-positive that i get when i
> upload one specific file.
> [Fri Aug 10 21:56:32 2007] [error] [client 127.0.0.1] ModSecurity:
> Request body is larger than the configured limit (134217728). [hostname
> "www.xxxx.xxx"] [uri "/xxxxxx.php"] [unique_id "xY87X1hQBsUAACf7hcwAAAAA"]
>
> I have locate the problem to the variable "SecRequestBodyInMemoryLimit"
> that was set to 131072 (134217728/1024) but when i raise the value
> nothing happends (restarted apache2), even the same error with the same
> number with in (). Anybody that have had the same problem?
>
> I am using Mod security 2.1.1, apache 2 on Debian etch and core rules
> from mod security. Any help to get? I tried to solv this for 2 days now
> and i cant do anything more then ask for help because I'm out of ideas
> (or i may be blind)..
>
--
Michael T. Shinn KeyID:0xDAE2EC86
Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
Got Root? http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls: http://troubleshootingfirewalls.com
More information about the Modsecurity
mailing list