mod_security - PCRE limits exceeded
Just about on every request I am getting the following error:
Rule execution error - PCRE limits exceeded (-8): (null).
After a bunch of googling the only solutions seem to be
a) Add the following in your httpd.conf
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
b) Add the following to your php.ini
pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000
c) Use a version that was compiled with -disable-pcre-match-limit
option.
I am running the following:
ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).
Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze8 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8
For ModSec my rules, I am using the OWASP ModSecurity Core Rule Set Project version (CRS) version 2.2.3 which is the newest as of this posting.
My httpd.conf consists of essentially:
<IfModule security2_module>
SecUploadDir /var/asl/data/suspicious
SecDataDir /var/asl/data/msa
SecTmpDir /tmp
SecAuditLogStorageDir /var/asl/data/audit
Include modsecurity.d/modsecurity_crs_10_config.conf
Include modsecurity.d/activated_rules/*.conf
SecRuleEngine On
# Debug log
SecDebugLog /var/log/apache2/modsec_debug.log
SecDebugLogLevel 3
# Serial audit log
SecAuditEngine RelevantOnly
SecAuditLogRelevantStatus ^5
SecAuditLogParts ABIFHZ
SecAuditLogType Serial
SecAuditLog /var/log/apache2/modsec_audit.log
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000
</IfModule>
<IfModule mod_php5.c>
php_admin_flag pcre.backtrack_limit 10000000
php_admin_flag pcre.recursion_limit 10000000
</IfModule>
Of which inside my modsecurity.d
directory is just all the default rules CRS has in their install file. I have also set the pcre limits to 150000000 and 100000000000 and more, but to no available.
So in conclusion:
solutions a
and b
are not working, and I prefer greatly not to do c
...as I don't really understand/like compiling.
Anyone have any other ideas?
Holy recursion, Batman!
I claim you have something wrong with your mod_security rules. That kind of recursion seems to be unnecessary and will most likely cause some serious load for your server. Fix the rules and/or Apache config, and don't try to "fix" this problem with arbitrarily large numbers.
Watching this closely as I have exactly the same issue and your config looks similar to mine. I'm a first timer to modsecurity, it's not exactly noob friendly!
Agree with Janne. Only advice I have so far is to remove all the core rules and re-introduce them 1 by 1 to start narrowing the problem down. I'm about to do that now.
Also you should change your rule engine setting to
SecRuleEngine DetectionOnly
while working through config issues, this will allow you to monitor without enforcing - you don't want to enforce the rules while you're still not sure that they're doing what you want.
Please do post back with your learnings if you find a solution.