13

Just about on every request I am getting the following error:

Rule execution error - PCRE limits exceeded (-8): (null).

After a bunch of googling the only solutions seem to be

a) Add the following in your httpd.conf

SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

b) Add the following to your php.ini

pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000

c) Use a version that was compiled with -disable-pcre-match-limit option.


I am running the following:

ModSecurity for Apache/2.5.12 (http://www.modsecurity.org/).

Apache/2.2.16 (Debian) PHP/5.3.3-7+squeeze8 with Suhosin-Patch mod_ssl/2.2.16 OpenSSL/0.9.8

For ModSec my rules, I am using the OWASP ModSecurity Core Rule Set Project version (CRS) version 2.2.3 which is the newest as of this posting.

My httpd.conf consists of essentially:

<IfModule security2_module>
    SecUploadDir /var/asl/data/suspicious
    SecDataDir /var/asl/data/msa
    SecTmpDir /tmp
    SecAuditLogStorageDir /var/asl/data/audit

    Include modsecurity.d/modsecurity_crs_10_config.conf
    Include modsecurity.d/activated_rules/*.conf

    SecRuleEngine On

    # Debug log
    SecDebugLog /var/log/apache2/modsec_debug.log
    SecDebugLogLevel 3

    # Serial audit log
    SecAuditEngine RelevantOnly
    SecAuditLogRelevantStatus ^5
    SecAuditLogParts ABIFHZ
    SecAuditLogType Serial
    SecAuditLog /var/log/apache2/modsec_audit.log

    SecPcreMatchLimit 150000
    SecPcreMatchLimitRecursion 150000

</IfModule>


<IfModule mod_php5.c>
    php_admin_flag pcre.backtrack_limit 10000000
    php_admin_flag pcre.recursion_limit 10000000
</IfModule>

Of which inside my modsecurity.d directory is just all the default rules CRS has in their install file. I have also set the pcre limits to 150000000 and 100000000000 and more, but to no available.

So in conclusion:

solutions a and b are not working, and I prefer greatly not to do c...as I don't really understand/like compiling.

Anyone have any other ideas?

ParoX
  • 302
  • 1
  • 6
  • 21
  • I have this as well using the latest core rules and mod_security source code that I just downloaded. I'm getting these errors for a Rails app, not PHP. – Dogweather Apr 18 '12 at 09:14

4 Answers4

7

Holy recursion, Batman!

I claim you have something wrong with your mod_security rules. That kind of recursion seems to be unnecessary and will most likely cause some serious load for your server. Fix the rules and/or Apache config, and don't try to "fix" this problem with arbitrarily large numbers.

Janne Pikkarainen
  • 31,454
  • 4
  • 56
  • 78
4

Watching this closely as I have exactly the same issue and your config looks similar to mine. I'm a first timer to modsecurity, it's not exactly noob friendly!

Agree with Janne. Only advice I have so far is to remove all the core rules and re-introduce them 1 by 1 to start narrowing the problem down. I'm about to do that now.

Also you should change your rule engine setting to

SecRuleEngine DetectionOnly

while working through config issues, this will allow you to monitor without enforcing - you don't want to enforce the rules while you're still not sure that they're doing what you want.

Please do post back with your learnings if you find a solution.

0

Atomicorp (sells a security product with modsecurity built in) recommends 250000 on "modern systems". https://support.atomicorp.com/hc/en-us/articles/360000188468-Rule-execution-error-PCRE-limits-exceeded-8-null-

Ed Greenberg
  • 166
  • 1
  • 5
0
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

The must be found and changed in mod_security config files on some *nix versions.

chuckx
  • 1,120
  • 6
  • 8
Egils
  • 1