SecPcreMatchLimit and SecPcreMatchLimitRecursion not follwed in modsecurity.conf

[ghost]

I compiled ModSecurity v2.9.0 with no options (ie ./configure) and found that later I was having PCRE match issues, so I increased the values in modsecurity.conf (httpd/conf.d/ folder) and found that it was have 0 effect. After troubleshooting for a few hours, I recompiled with higher values and that resolved the issue (ie ./configure --enable-pcre-match-limit=200000 --enable-pcre-match-limit-recursion=200000).

So the bug is that the conf file options dont work.

[bostrt]

@BP9906 It looks like you will need to build with the PCRE_EXTRA_MATCH_LIMIT and PCRE_EXTRA_MATCH_LIMIT_RECURSION macro:

https://github.com/SpiderLabs/ModSecurity/blob/v2/master/apache2/msc_pcre.c#L89-L96
https://github.com/SpiderLabs/ModSecurity/blob/v2/master/apache2/msc_pcre.c#L108-L115

[surnamedd]

The values in modsecurity.conf is part of the RegEx DoS rule, like:
SecPcreMatchLimit 10000
SecPcreMatchLimitRecursion 10000
SecRule TX:/^MSC_/ "!@Streq 0"
"id:'200004',phase:2,t:none,deny,msg:'ModSecurity internal error flagged:
%{MATCHED_VAR_NAME}'"

[zimmerle]

Keep in mind that Apache/PCRE will honor the last module that set those limits, as the process share the same configurations.