Rule 941120 Processing time is too long #1665
Comments
sunskyyao
changed the title
|
Hi @sunskyyao, thanks for the report. Could you tell us your ModSecurity version exactly? There isn't any release with version 3.2. If your HTTP server is Nginx, then it could be libmodsecurity3 with version 3.0.[01234], or mod_security2. Also we need the variables from your modsecurity config with these names: Thanks. |
|
Test environment: test web: modsecurity.conf root@liangay-virtual-machine:/usr/local/nginx/conf# grep -w "(SecRequestBodyLimit|SecRequestBodyNoFilesLimit)" modsecurity.conf gdb trace thead
It is suspected that the regular expression of this rule caused pcre processing to time out. The problem may be PCRE or the rule. |
|
Hi @sunskyyao, thanks for more details. The issue is still under investigating, please be patient. |
|
We talked about this a big deal during (or rather after) our monthly chat. @dune73 (thus me) came up with a simpler variant of this rule that should kill the performance / DoS problems and still match the same payloads. @airween is going to test this and provide a PR if it works. If not, we need to continue our discussion. Meeting minutes: #1671 (comment) |
|
@airween : Do you have any update on your test with this rule? |
|
With @theMiddleBlue we're still working on this issue. Needs more time to finish. |
Decrease processing time of rules, fixes SpiderLabs#1665 SpiderLabs#1708
SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_HEADERS:User-Agent|REQUEST_HEADERS:Referer|ARGS_NAMES|ARGS|XML:/* "@rx (?i)[\s"'`;/0-9=\x0B\x09\x0C\x3B\x2C\x28\x3B]+on[a-zA-Z]+[\s\x0B\x09\x0C\x3B\x2C\x28\x3B]*?="
"id:941120,
phase:2,
block,
capture,
t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,
msg:'XSS Filter - Category 2: Event Handler Vector',
logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',
tag:'application-multi',
tag:'language-multi',
tag:'platform-multi',
tag:'attack-xss',
tag:'OWASP_CRS',
tag:'OWASP_CRS/WEB_ATTACK/XSS',
tag:'WASCTC/WASC-8',
tag:'WASCTC/WASC-22',
tag:'OWASP_TOP_10/A3',
tag:'OWASP_AppSensor/IE1',
tag:'CAPEC-242',
ctl:auditLogParts=+E,
ver:'OWASP_CRS/3.2.0',
severity:'CRITICAL',
setvar:'tx.xss_score=+%{tx.critical_anomaly_score}',
setvar:'tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}'"
Type of Issue
Rule processing takes longer
Description
Post more than 1M request body,The content of request body exceeds 1M, crs processing timeout. rule id is 941120. Form data submit.The content of the file is submitted through the input box, not through the file.
1M.txt
Your Environment
nginx
CRS version (e.g. v3.2.0):
ModSecurity version (e.g. 3.2):
The text was updated successfully, but these errors were encountered: