From b5392b2f7fb9054d8cfacf52fdd5327ffc609c64 Mon Sep 17 00:00:00 2001
From: b1v1r <b1v1r@9017d574-64ec-4062-9424-5e00b32a252b>
Date: Thu, 11 Feb 2010 17:44:10 +0000
Subject: [PATCH] Added more documentation for pcre limits.

---
 doc/modsecurity2-apache-reference.xml | 51 +++++++++++++++++++++------
 1 file changed, 40 insertions(+), 11 deletions(-)

diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml
index a5e3b047..f3ba970f 100644
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -1484,12 +1484,27 @@ SecMarker 99</emphasis></programlisting></para>
       <para><emphasis>Version:</emphasis> 2.5.12</para>
 
       <para><emphasis>Dependencies/Notes:</emphasis> Default is set at compile
-      (1500 by default)</para>
+      (1500 by default). See also
+      <literal>SecPcreMatchLimitRecursion</literal></para>
 
-      <para>The <literal>--enable-pcre-match-limit=val</literal> configure
-      option will set a custom default and the
-      <literal>--disable-pcre-match-limit</literal> option will resort to the
-      compiled PCRE library default.</para>
+      <para>If the limits are exceeded this will be logged at level 3 in the
+      debug log, added as a Message line in the audit log and the <literal
+      moreinfo="none">TX:MSC_PCRE_LIMITS_EXCEEDED</literal> flag will be set
+      to a non-zero value. To prevent bypass, you should write a rule to check
+      for the existance of the <literal
+      moreinfo="none">TX:MSC_PCRE_LIMITS_EXCEEDED</literal> flag.</para>
+
+      <programlisting>SecPcreMatchLimit 100
+SecPcreMatchLimitRecursion 100
+  ...
+SecRule TX:/^MSC_/ "!@eq 0" "phase:5,pass,log,auditlog,msg:'Potential REDoS'"</programlisting>
+
+      <note>
+        <para>The <literal>--enable-pcre-match-limit=val</literal> configure
+        option will set a custom default and the
+        <literal>--disable-pcre-match-limit</literal> option will resort to
+        the compiled PCRE library default.</para>
+      </note>
     </section>
 
     <section>
@@ -1512,12 +1527,26 @@ SecMarker 99</emphasis></programlisting></para>
       <para><emphasis>Version:</emphasis> 2.5.12</para>
 
       <para><emphasis>Dependencies/Notes:</emphasis> Default is set at compile
-      (1500 by default)</para>
+      (1500 by default). See also <literal>SecPcreMatchLimit</literal></para>
 
-      <para>The <literal>--enable-pcre-match-limit-recursion=val</literal>
-      configure option will set a custom default and the
-      <literal>--disable-pcre-match-limit-recursion</literal> option will
-      resort to the compiled PCRE library default.</para>
+      <para>If the limits are exceeded this will be logged at level 3 in the
+      debug log, added as a Message line in the audit log and the <literal
+      moreinfo="none">TX:MSC_PCRE_LIMITS_EXCEEDED</literal> flag will be set
+      to a non-zero value. To prevent bypass, you should write a rule to check
+      for the existance of the <literal
+      moreinfo="none">TX:MSC_PCRE_LIMITS_EXCEEDED</literal> flag.</para>
+
+      <programlisting>SecPcreMatchLimit 100
+SecPcreMatchLimitRecursion 100
+  ...
+SecRule TX:/^MSC_/ "!@eq 0" "phase:5,pass,log,auditlog,msg:'Potential REDoS'"</programlisting>
+
+      <note>
+        <para>The <literal>--enable-pcre-match-limit-recursion=val</literal>
+        configure option will set a custom default and the
+        <literal>--disable-pcre-match-limit-recursion</literal> option will
+        resort to the compiled PCRE library default.</para>
+      </note>
     </section>
 
     <section>
@@ -3930,7 +3959,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}</programlisting>
         </listitem>
 
         <listitem>
-          <para><literal moreinfo="none">TX:MSC_.*</literal> - ModSecurity
+          <para><literal moreinfo="none">TX:MSC_*</literal> - ModSecurity
           processing flags.</para>
 
           <itemizedlist>