-
Notifications
You must be signed in to change notification settings - Fork 725
modsecurity_crs_35_bad_robots.conf - Execution error - PCRE limits exceeded #155
Comments
less /etc/httpd/modsecurity.d/modsecurity.conf |
Please paste in an audit log entry for this issue which contains the full inbound request data. |
I'm having the same issues. Here is sanitized request data for a similar type of request, although it happens on other rules for me... top offenders are 981257, 981242, and 973302:
|
I am also having pretty much the same issue here ..... what was the outcome of this conversation ? Error Sample: [error] 23625#0: [client p.r.s.t] ModSecurity: Rule 7f3c05866490 [id "981243"][file "/etc/nginx/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "HostName"] [uri "/AJAX/myfile.asp"] [unique_id "AcAcecAcAcAc8cAoAcACAcvS"] nginx version: nginx/1.6.2 TLS SNI support enabled 2014/12/19 16:42:02 [notice] 539#0: ModSecurity for nginx (STABLE)/2.8.0 (http://www.modsecurity.org/) configured. 2014/12/19 16:42:02 [notice] 539#0: ModSecurity: LIBXML compiled version="2.7.8"Any help would be much appreciated. Cheers, |
Exact same issue using nginx, a bunch of reports that like this:
|
The error appears to be in the last line of:
|
What completely fixed the issue for me was just cloning the latest version of modsecurity crs from this repository instead of just using the one from my package manager(which I honestly never should have used in the first place no matter how lazy I was feeling) |
@735tesla, when I update the base rules to the last version (downloaded from owasp-git), the apache2 failed to start. The error points to new line formats, for example the new line of -=[ SQL Tautologies ]=-, which change from:
to:
Of course, a lot of other rules has been updated in same way.. I mean, including !REQUEST_COOKIES:/__utm/ and so on.. Could you please tell me if you had this problem when you updated your rules? Maybe is mandatory to update modsecurity to the last version? Thanks |
The PCRE match limits are here to prevent Regular Expression Denial of Service attacks. That is the CPU getting eaten up completely calculating evil regexes... Now the defaults are very low, which leads to false positives in the sense that rule execution on regular requests run into the PCRE match limit failure as reported above several times. I have successfully configured productive servers with PCRE match limits of 500000 or even 1000000. This makes most, if not all PCRE match limit failures go away and is still not a value, that would allow an easy DDoS. However, let' make this clear: You need to monitor your server and then - in case of an attack - you may need to lower the match limit to save CPU power. An alternative is to improve the regular expressions to make them less prone to this sort of problem. This is an ongoing process and @csanders-git has made some progress with this. For now, I am closing this issue as a more sane PCRE match limit makes the problem go away. Please reopen, if you still encounter this problem with benign requests and a PCRE match limit in the range of several hundred thousand. |
[Mon Nov 04 15:49:43 2013] [error] [client 37.115.184.70] ModSecurity: Rule 7f18
532e53f8 [id "-"][file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs
_35_bad_robots.conf"][line "28"] - Execution error - PCRE limits exceeded (-8):
(null). [hostname "example.com"] [uri "/index.php"] [unique_id "UneJ112qgHI
AAAguT-EAAAAA"]
== OWASP ModSecurity Core Rule Set (CRS) CHANGES ==
== Report Bugs/Issues to GitHub Issues Tracker ==
== Version 2.2.8 - 06/30/2013 ==
The text was updated successfully, but these errors were encountered: