As long as you are sure you aren't actually under a DoS then have a look at the 
parameter "SecPcreMatchLimit" and "SecPcreMatchLimitRecursion", maybe look to 
increase these until the error goes away with normal traffic usage?

The default is 1500, I have seen it set as high as 250000 for both.

Craig


-----Original Message-----
From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org 
[mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of 
Aniyan Rajan
Sent: 21 July 2014 06:32
To: owasp-modsecurity-core-rule-set@lists.owasp.org
Subject: Re: [Owasp-modsecurity-core-rule-set] Errors

Anybody please help. What is this "Execution error - PCRE limits exceeded (-8): 
(null). " ?

I am getting this daily.

Thanks.

On 07/19/2014 06:49 PM, Aniyan Rajan wrote:
> Hello,
>
> I am getting the following errors in
> /var/log/apache2/modsec_audit.log. Please tell me how to fix this.
> Thanks.
>
>
> --1af2295a-A--
> [19/Jul/2014:12:51:12 +0000] U8ppwH8AAAEAABVXBoEAAAAB 61.3.165.175
> 38386 128.222.122.22 80
> --1af2295a-B--
> GET /wp-includes/css/buttons.min.css?ver=3.9.1 HTTP/1.1
> Host: www.my-domain.com
> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:30.0) Gecko/20100101
> Firefox/30.0 Iceweasel/30.0
> Accept: text/css,*/*;q=0.1
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://www.my-domain.com/wp-login.php?loggedout=true
> Cookie: wp-settings-time-1=1404924481;
> wp-settings-1=libraryContent%3Dbrowse;
> wordpress_test_cookie=WP+Cookie+check
> DNT: 1
> Connection: keep-alive
> If-Modified-Since: Tue, 25 Mar 2014 21:23:14 GMT
> If-None-Match: "411db-15bb-4f574f5b2f480"
>
> --1af2295a-F--
> HTTP/1.1 304 Not Modified
> Last-Modified: Tue, 25 Mar 2014 21:23:14 GMT
> ETag: "411db-15bb-4f574f5b2f480"
> Accept-Ranges: bytes
> Content-Length: 0
> Vary: Accept-Encoding
> Keep-Alive: timeout=5, max=91
> Connection: Keep-Alive
> Content-Type: text/css
>
> --1af2295a-E--
>
> --1af2295a-H--
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Stopwatch: 1405774272625367 8289 (- - -)
> Stopwatch2: 1405774272625367 8289; combined=7685, p1=238, p2=7371,
> p3=1, p4=54, p5=21, sr=53, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
> Server: Apache
>
> --1af2295a-Z--
>
> --1af2295a-A--
> [19/Jul/2014:12:51:12 +0000] U8ppwH8AAAEAABWEO4kAAAAF 61.3.165.175
> 38401 128.222.122.22 80
> --1af2295a-B--
> GET /wp-admin/css/login.min.css?ver=3.9.1 HTTP/1.1
> Host: www.my-domain.com
> User-Agent: Mozilla/5.0 (X11; Linux i686; rv:30.0) Gecko/20100101
> Firefox/30.0 Iceweasel/30.0
> Accept: text/css,*/*;q=0.1
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Referer: http://www.my-domain.com/wp-login.php?loggedout=true
> Cookie: wp-settings-time-1=1404924481;
> wp-settings-1=libraryContent%3Dbrowse;
> wordpress_test_cookie=WP+Cookie+check
> DNT: 1
> Connection: keep-alive
> If-Modified-Since: Thu, 24 Apr 2014 22:05:16 GMT
> If-None-Match: "40f2c-47c8-4f7d10b42df00"
>
> --1af2295a-F--
> HTTP/1.1 304 Not Modified
> Last-Modified: Thu, 24 Apr 2014 22:05:16 GMT
> ETag: "40f2c-47c8-4f7d10b42df00"
> Accept-Ranges: bytes
> Content-Length: 0
> Vary: Accept-Encoding
> Keep-Alive: timeout=5, max=100
> Connection: Keep-Alive
> Content-Type: text/css
>
> --1af2295a-E--
>
> --1af2295a-H--
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Message: Rule 7f14c7110280 [id "950901"][file
> "/usr/share/modsecurity-crs/activated_rules/modsecurity_crs_41_sql_inj
> ection_attacks.conf"][line "77"] - Execution error - PCRE limits
> exceeded (-8): (null).
> Stopwatch: 1405774272887666 13250 (- - -)
> Stopwatch2: 1405774272887666 13250; combined=12096, p1=289, p2=11727,
> p3=2, p4=55, p5=23, sr=72, sw=0, l=0, gc=0
> Response-Body-Transformed: Dechunked
> Producer: ModSecurity for Apache/2.6.6 (http://www.modsecurity.org/);
> OWASP_CRS/2.2.5; OWASP_CRS/2.2.5.
> Server: Apache
>
> --1af2295a-Z--
>

_______________________________________________
Owasp-modsecurity-core-rule-set mailing list 
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

________________________________

NOTICE AND DISCLAIMER
This e-mail (including any attachments) is intended for the above-named 
person(s). If you are not the intended recipient, notify the sender 
immediately, delete this email from your system and do not disclose or use for 
any purpose. We may monitor all incoming and outgoing emails in line with 
current legislation. We have taken steps to ensure that this email and 
attachments are free from any virus, but it remains your responsibility to 
ensure that viruses do not adversely affect you
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
Owasp-modsecurity-core-rule-set@lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set

Reply via email to