[Owasp-modsecurity-core-rule-set] Errors

Craig Lawson craig.lawson at secarma.co.uk
Mon Jul 21 07:01:52 UTC 2014


As long as you are sure you aren't actually under a DoS then have a look at the parameter "SecPcreMatchLimit" and "SecPcreMatchLimitRecursion", maybe look to increase these until the error goes away with normal traffic usage?

The default is 1500, I have seen it set as high as 250000 for both.

Craig


-----Original Message-----
From: owasp-modsecurity-core-rule-set-bounces at lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-bounces at lists.owasp.org] On Behalf Of Aniyan Rajan
Sent: 21 July 2014 06:32
To: owasp-modsecurity-core-rule-set at lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] Errors

Anybody please help. What is this "Execution error - PCRE limits exceeded (-8): (null). " ?

I am getting this daily.

Thanks.

On 07/19/2014 06:49 PM, Aniyan Rajan wrote:
> Hello,
>
> I am getting the following errors in
> /var/log/apache2/modsec_audit.log. Please tell me how to fix this.
> Thanks.
>
>
> --1af2295a-A--
> [19/Jul/2014:12:51:12 +0000] U8ppwH8AAAEAABVXBoEAAAAB 61.3.165.175
> 38386 128.222.122.22 80
> --1af2295a-B--
> GET /wp-includes/css/buttons.min.css?ver=3.9.1 HTTP/1.1
> Host: www.my-domain.com
> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:30.0) Gecko/20100101
> Firefox/30.0 Iceweasel/30.0
> Accept: text/css,*/*;q=0.1
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://www.my-domain.com/wp-login.php?loggedout=true
> Cookie: wp-settings-time-1=1404924481;
> wp-settings-1=libraryContent%3Dbrowse;
> wordpress_test_cookie=WP+Cookie+check
> DNT: 1
> Connection: keep-alive
> If-Modified-Since: Tue, 25 Mar 2014 21:23:14 GMT
> If-None-Match: "411db-15bb-4f574f5b2f480"
>
> --1af2295a-F--
> HTTP/1.1 304 Not Modified
> Last-Modified: Tue, 25 Mar 2014 21:23:14 GMT
> ETag: "411db-15bb-4f574f5b2f480"
> Accept-Ranges: bytes
> Content-Length: 0
> Vary: Accept-Encoding
> Keep-Alive: timeout=5, max=91
> Connection: Keep-Alive
> Content-Type: text/css
>
> --1af2295a-E--
>
> --1af2295a-H--
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Stopwatch: 1405774272625367 8289 (- - -)
> Stopwatch2: 1405774272625367 8289; combined=7685, p1=238, p2=7371,
> p3=1, p4=54, p5=21, sr=53, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
> Server: Apache
>
> --1af2295a-Z--
>
> --1af2295a-A--
> [19/Jul/2014:12:51:12 +0000] U8ppwH8AAAEAABWEO4kAAAAF 61.3.165.175
> 38401 128.222.122.22 80
> --1af2295a-B--
> GET /wp-admin/css/login.min.css?ver=3.9.1 HTTP/1.1
> Host: www.my-domain.com
> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:30.0) Gecko/20100101
> Firefox/30.0 Iceweasel/30.0
> Accept: text/css,*/*;q=0.1
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://www.my-domain.com/wp-login.php?loggedout=true
> Cookie: wp-settings-time-1=1404924481;
> wp-settings-1=libraryContent%3Dbrowse;
> wordpress_test_cookie=WP+Cookie+check
> DNT: 1
> Connection: keep-alive
> If-Modified-Since: Thu, 24 Apr 2014 22:05:16 GMT
> If-None-Match: "40f2c-47c8-4f7d10b42df00"
>
> --1af2295a-F--
> HTTP/1.1 304 Not Modified
> Last-Modified: Thu, 24 Apr 2014 22:05:16 GMT
> ETag: "40f2c-47c8-4f7d10b42df00"
> Accept-Ranges: bytes
> Content-Length: 0
> Vary: Accept-Encoding
> Keep-Alive: timeout=5, max=100
> Connection: Keep-Alive
> Content-Type: text/css
>
> --1af2295a-E--
>
> --1af2295a-H--
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Stopwatch: 1405774272887666 13250 (- - -)
> Stopwatch2: 1405774272887666 13250; combined=12096, p1=289, p2=11727,
> p3=2, p4=55, p5=23, sr=72, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
> Server: Apache
>
> --1af2295a-Z--
>

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

________________________________

NOTICE AND DISCLAIMER
This e-mail (including any attachments) is intended for the above-named person(s). If you are not the intended recipient, notify the sender immediately, delete this email from your system and do not disclose or use for any purpose. We may monitor all incoming and outgoing emails in line with current legislation. We have taken steps to ensure that this email and attachments are free from any virus, but it remains your responsibility to ensure that viruses do not adversely affect you
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set


More information about the Owasp-modsecurity-core-rule-set mailing list