From 61ae1203ec64516529e2d31a1328bc8c835544c7 Mon Sep 17 00:00:00 2001
From: William <wmetcalf@qualys.com>
Date: Mon, 22 Aug 2011 12:24:20 -0500
Subject: [PATCH] Actually limit recursion and backtracking and stack usage by PCRE. Logic was broken, no example was provided in suricata.yaml even though it could be set from there.

---
 src/detect-pcre.c |   15 +++++++++------
 suricata.yaml     |    5 +++++
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/detect-pcre.c b/src/detect-pcre.c
index 2c88b85..0cfbf73 100644
--- a/src/detect-pcre.c
+++ b/src/detect-pcre.c
@@ -67,7 +67,8 @@
 #define DEFAULT_MATCH_LIMIT 10000000
 #define DEFAULT_MATCH_LIMIT_RECURSION 10000000
 
-#define MATCH_LIMIT_DEFAULT 1500
+#define SC_MATCH_LIMIT_DEFAULT 1500
+#define SC_MATCH_LIMIT_RECURSION_DEFAULT 1500
 
 static int pcre_match_limit = 0;
 static int pcre_match_limit_recursion = 0;
@@ -119,20 +120,22 @@ void DetectPcreRegister (void) {
     intmax_t val = 0;
 
     if (!ConfGetInt("pcre.match-limit", &val)) {
-        pcre_match_limit = DEFAULT_MATCH_LIMIT;
+        pcre_match_limit = SC_MATCH_LIMIT_DEFAULT;
     }
     else    {
         pcre_match_limit = val;
     }
-
+    SCLogInfo("Using PCRE match-limit setting of: %i", pcre_match_limit);  
+  
     val = 0;
 
     if (!ConfGetInt("pcre.match-limit-recursion", &val)) {
-        pcre_match_limit_recursion = DEFAULT_MATCH_LIMIT_RECURSION;
+        pcre_match_limit_recursion = SC_MATCH_LIMIT_RECURSION_DEFAULT;
     }
     else    {
         pcre_match_limit_recursion = val;
     }
+    SCLogInfo("Using PCRE match-limit-recursion setting of: %i", pcre_match_limit_recursion);
 
     parse_regex = pcre_compile(PARSE_REGEX, opts, &eb, &eo, NULL);
     if(parse_regex == NULL)
@@ -913,10 +916,10 @@ DetectPcreData *DetectPcreParse (char *regexstr)
         }
         else    {
 
-            pd->sd->match_limit = MATCH_LIMIT_DEFAULT;
+            pd->sd->match_limit = SC_MATCH_LIMIT_DEFAULT;
             pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT;
 #ifndef NO_PCRE_MATCH_RLIMIT
-            pd->sd->match_limit_recursion = MATCH_LIMIT_DEFAULT;
+            pd->sd->match_limit_recursion = SC_MATCH_LIMIT_RECURSION_DEFAULT;
             pd->sd->flags |= PCRE_EXTRA_MATCH_LIMIT_RECURSION;
 #endif /* NO_PCRE_MATCH_RLIMIT */
         }
diff --git a/suricata.yaml b/suricata.yaml
index 957d1dc..89dc373 100644
--- a/suricata.yaml
+++ b/suricata.yaml
@@ -168,6 +168,11 @@ engine-analysis:
   # enables printing reports for fast-pattern for every rule.
   rules-fast-pattern: yes
 
+#recursion and match limits for PCRE where supported
+pcre:
+  match-limit: 3500
+  match-limit-recursion: 1500
+ 
 # You can specify a threshold config file by setting "threshold-file"
 # to the path of the threshold config file:
 # threshold-file: /etc/suricata/threshold.config
-- 
1.7.0.4