ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx. It has a robust event-based programming language which provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring, logging and real-time analysis.
When there's a regular expression error due to SecPcreMatchLimit or SecPcreMatchLimitRecursion (i.e. MSC_PCRE_LIMITS_EXCEEDED), a rule using !@rx will say that the rule was triggered. However, failures with @rx will say that the rule was not triggered. I think both should assume the rule was not triggered. See https://github.com/coreruleset/coreruleset/issues/3640#issuecomment-2035841946 for additional context.
Describe the bug
When there's a regular expression error due to
SecPcreMatchLimit
orSecPcreMatchLimitRecursion
(i.e.MSC_PCRE_LIMITS_EXCEEDED
), a rule using!@rx
will say that the rule was triggered. However, failures with@rx
will say that the rule was not triggered. I think both should assume the rule was not triggered. See https://github.com/coreruleset/coreruleset/issues/3640#issuecomment-2035841946 for additional context.To Reproduce
See https://github.com/coreruleset/coreruleset/issues/3640#issuecomment-2037347642.
You can probably reproduce by setting
SecPcreMatchLimit
andSecPcreMatchLimitRecursion
really low (maybe 5) and adding a!@rx
rule.Expected behavior
I would expect
!@rx
to not trigger a rule if there's aMSC_PCRE_LIMITS_EXCEEDED
error.Server (please complete the following information):
Rule Set (please complete the following information):