[Owasp-modsecurity-core-rule-set] Errors

Ryan Barnett RBarnett at trustwave.com
Mon Jul 21 16:24:58 UTC 2014


I woulud also suggest you updated your OWASP CRS.  Current version is
2.2.9 and you are running 2.2.5.  We improved regexes to try and limit
their greedines and triggering those messages.

Ryan Barnett
Senior Lead Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com <http://www.trustwave.com/>




On 7/21/14 1:32 AM, "Aniyan Rajan" <aniyan.rajan6 at gmail.com> wrote:

>Anybody please help. What is this "Execution error - PCRE limits
>exceeded (-8): (null). " ?
>
>I am getting this daily.
>
>Thanks.
>
>On 07/19/2014 06:49 PM, Aniyan Rajan wrote:
>> Hello,
>>
>> I am getting the following errors in
>> /var/log/apache2/modsec_audit.log. Please tell me how to fix this.
>> Thanks.
>>
>>
>> --1af2295a-A--
>> [19/Jul/2014:12:51:12 +0000] U8ppwH8AAAEAABVXBoEAAAAB 61.3.165.175
>> 38386 128.222.122.22 80
>> --1af2295a-B--
>> GET /wp-includes/css/buttons.min.css?ver=3.9.1 HTTP/1.1
>> Host: www.my-domain.com
>> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:30.0) Gecko/20100101
>> Firefox/30.0 Iceweasel/30.0
>> Accept: text/css,*/*;q=0.1
>> Accept-Language: en-US,en;q=0.5
>> Accept-Encoding: gzip, deflate
>> Referer: http://www.my-domain.com/wp-login.php?loggedout=true
>> Cookie: wp-settings-time-1=1404924481;
>> wp-settings-1=libraryContent%3Dbrowse;
>> wordpress_test_cookie=WP+Cookie+check
>> DNT: 1
>> Connection: keep-alive
>> If-Modified-Since: Tue, 25 Mar 2014 21:23:14 GMT
>> If-None-Match: "411db-15bb-4f574f5b2f480"
>>
>> --1af2295a-F--
>> HTTP/1.1 304 Not Modified
>> Last-Modified: Tue, 25 Mar 2014 21:23:14 GMT
>> ETag: "411db-15bb-4f574f5b2f480"
>> Accept-Ranges: bytes
>> Content-Length: 0
>> Vary: Accept-Encoding
>> Keep-Alive: timeout=5, max=91
>> Connection: Keep-Alive
>> Content-Type: text/css
>>
>> --1af2295a-E--
>>
>> --1af2295a-H--
>> Message: Rule 7f14c7110280 [id "950901"][file
>>
>>"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inject
>>ion_attacks.conf"][line
>> "77"] - Execution error - PCRE limits exceeded (-8): (null).
>> Message: Rule 7f14c7110280 [id "950901"][file
>>
>>"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inject
>>ion_attacks.conf"][line
>> "77"] - Execution error - PCRE limits exceeded (-8): (null).
>> Message: Rule 7f14c7110280 [id "950901"][file
>>
>>"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inject
>>ion_attacks.conf"][line
>> "77"] - Execution error - PCRE limits exceeded (-8): (null).
>> Message: Rule 7f14c7110280 [id "950901"][file
>>
>>"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inject
>>ion_attacks.conf"][line
>> "77"] - Execution error - PCRE limits exceeded (-8): (null).
>> Stopwatch: 1405774272625367 8289 (- - -)
>> Stopwatch2: 1405774272625367 8289; combined=7685, p1=238, p2=7371,
>> p3=1, p4=54, p5=21, sr=53, sw=0, l=0, gc=0
>> Response-Body-Transformed: Dechunked
>> Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/);
>> OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
>> Server: Apache
>>
>> --1af2295a-Z--
>>
>> --1af2295a-A--
>> [19/Jul/2014:12:51:12 +0000] U8ppwH8AAAEAABWEO4kAAAAF 61.3.165.175
>> 38401 128.222.122.22 80
>> --1af2295a-B--
>> GET /wp-admin/css/login.min.css?ver=3.9.1 HTTP/1.1
>> Host: www.my-domain.com
>> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:30.0) Gecko/20100101
>> Firefox/30.0 Iceweasel/30.0
>> Accept: text/css,*/*;q=0.1
>> Accept-Language: en-US,en;q=0.5
>> Accept-Encoding: gzip, deflate
>> Referer: http://www.my-domain.com/wp-login.php?loggedout=true
>> Cookie: wp-settings-time-1=1404924481;
>> wp-settings-1=libraryContent%3Dbrowse;
>> wordpress_test_cookie=WP+Cookie+check
>> DNT: 1
>> Connection: keep-alive
>> If-Modified-Since: Thu, 24 Apr 2014 22:05:16 GMT
>> If-None-Match: "40f2c-47c8-4f7d10b42df00"
>>
>> --1af2295a-F--
>> HTTP/1.1 304 Not Modified
>> Last-Modified: Thu, 24 Apr 2014 22:05:16 GMT
>> ETag: "40f2c-47c8-4f7d10b42df00"
>> Accept-Ranges: bytes
>> Content-Length: 0
>> Vary: Accept-Encoding
>> Keep-Alive: timeout=5, max=100
>> Connection: Keep-Alive
>> Content-Type: text/css
>>
>> --1af2295a-E--
>>
>> --1af2295a-H--
>> Message: Rule 7f14c7110280 [id "950901"][file
>>
>>"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inject
>>ion_attacks.conf"][line
>> "77"] - Execution error - PCRE limits exceeded (-8): (null).
>> Message: Rule 7f14c7110280 [id "950901"][file
>>
>>"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inject
>>ion_attacks.conf"][line
>> "77"] - Execution error - PCRE limits exceeded (-8): (null).
>> Message: Rule 7f14c7110280 [id "950901"][file
>>
>>"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inject
>>ion_attacks.conf"][line
>> "77"] - Execution error - PCRE limits exceeded (-8): (null).
>> Message: Rule 7f14c7110280 [id "950901"][file
>>
>>"/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inject
>>ion_attacks.conf"][line
>> "77"] - Execution error - PCRE limits exceeded (-8): (null).
>> Stopwatch: 1405774272887666 13250 (- - -)
>> Stopwatch2: 1405774272887666 13250; combined=12096, p1=289, p2=11727,
>> p3=2, p4=55, p5=23, sr=72, sw=0, l=0, gc=0
>> Response-Body-Transformed: Dechunked
>> Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/);
>> OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
>> Server: Apache
>>
>> --1af2295a-Z--
>>
>
>_______________________________________________
>Owasp-modsecurity-core-rule-set mailing list
>Owasp-modsecurity-core-rule-set at lists.owasp.org
>https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


________________________________

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.


More information about the Owasp-modsecurity-core-rule-set mailing list