mod_security - PCRE limits exceeded

apache-2.2 pcre mod-security

Just about on every request I am getting the following error:

Rule execution error - PCRE limits exceeded (-8): (null).

After a bunch of googling the only solutions seem to be

a) Add the following in your httpd.conf

SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

b) Add the following to your php.ini

pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000

c) Use a version that was compiled with -disable-pcre-match-limit option.

I am running the following:

ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).

Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze8 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8

For ModSec my rules, I am using the OWASP ModSecurity Core Rule Set Project version (CRS) version 2.2.3 which is the newest as of this posting.

My httpd.conf consists of essentially:

<IfModule security2_module>
    SecUploadDir /var/asl/data/suspicious
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit

    Include modsecurity.d/modsecurity_crs_10_config.conf
    Include modsecurity.d/activated_rules/*.conf

    SecRuleEngine On

    # Debug log
    SecDebugLog /var/log/apache2/modsec_debug.log
    SecDebugLogLevel 3

    # Serial audit log
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus ^5
    SecAuditLogParts ABIFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/apache2/modsec_audit.log

    SecPcreMatchLimit 150000
    SecPcreMatchLimitRecursion 150000

</IfModule>


<IfModule mod_php5.c>
    php_admin_flag pcre.backtrack_limit 10000000
    php_admin_flag pcre.recursion_limit 10000000
</IfModule>

Of which inside my modsecurity.d directory is just all the default rules CRS has in their install file. I have also set the pcre limits to 150000000 and 100000000000 and more, but to no available.

So in conclusion:

solutions a and b are not working, and I prefer greatly not to do c...as I don't really understand/like compiling.

Anyone have any other ideas?


Holy recursion, Batman!

I claim you have something wrong with your mod_security rules. That kind of recursion seems to be unnecessary and will most likely cause some serious load for your server. Fix the rules and/or Apache config, and don't try to "fix" this problem with arbitrarily large numbers.


Watching this closely as I have exactly the same issue and your config looks similar to mine. I'm a first timer to modsecurity, it's not exactly noob friendly!

Agree with Janne. Only advice I have so far is to remove all the core rules and re-introduce them 1 by 1 to start narrowing the problem down. I'm about to do that now.

Also you should change your rule engine setting to 

SecRuleEngine DetectionOnly

while working through config issues, this will allow you to monitor without enforcing - you don't want to enforce the rules while you're still not sure that they're doing what you want.

Please do post back with your learnings if you find a solution.

Related

Can strace show me the filename/path for read/write syscalls
SNI and wildcard SSL certificates on the same server with IIS
rsync - exclude all directories except a few
How to synchronize time on ESXi Windows virtual machines within one second?
What is the point of the zones.rfc1918 file for Bind9?
What Windows ext3 driver should I use? [closed]
PostgreSQL exits after being started
Open source tomcat log viewer
500 Error when using custom account for application pool in IIS 7
How do I enable Basic Authentication for IIS 8 in Windows Server 2012
The downsides of using nginx as a primary web server?
What is the difference between "dnl" and "dnl #" in a sendmail.mc file?