I'd start by checking the debug log, that should at least move you in the right direction. With a massive request like that i'm not surprised some PCRE limits are being hit :-)
On Sun, Jun 17, 2018 at 3:32 AM Quinn Comendant <qu...@strangecode.com> wrote: > I'm getting the famous MSC_PCRE_LIMITS_EXCEEDED error on a specific > request, and not able to circumvent it by raising the SecPcreMatchLimit > value; I've raised it to SecPcreMatchLimit 10000000 (ten million!) and it's > still blocked. > > Looks to me like a broken regex. > > 1. So maybe this is a bug report. Can you guys confirm the issue, based on > the data included below? > > 2. How do I find which rule has the regex blocking this request? (I don't > mean rule 200004, which blocks MSC_*, I mean the rule with the broken regex > that caused too much recursion. > > error_log: > [Fri Jun 15 23:26:43.506695 2018] [:error] [pid 22588] [client > 1.2.3.4:54790] [client 1.2.3.4] ModSecurity: Access denied with code 403 > (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" > required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "43"] [id > "200004"] [msg "ModSecurity internal error flagged: > TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "www.example.com"] [uri > "/cp/orders.php"] [unique_id "WyRLM2JpNbHeGYomo7lCxQAAAAU"], referer: > https://www.example.com/order/new > > OS: > CentOS Linux release 7.5.1804 (Core) > > Software versions: > httpd-2.4.6-80.el7.centos.x86_64 > mod_security-2.9.2-1.el7.x86_64 > mod_security_crs-2.2.9-1.el7.noarch > > Config: > $ sudo grep -r SecPcreMatchLimit /etc/httpd > /etc/httpd/conf.d/mod_security.conf: SecPcreMatchLimit 10000000 > /etc/httpd/conf.d/mod_security.conf: SecPcreMatchLimitRecursion 10000000 > > Request: > The request causing the error, as a curl command: > https://pastebin.com/raw/fymAQtsJ > > curl 'https://www.example.com/order/confirm' -H 'Connection: keep-alive' > -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'Origin: > https://www.example.com' -H 'Upgrade-Insecure-Requests: 1' -H 'DNT: 1' -H > 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: > Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, > like Gecko) Chrome/67.0.3396.87 Safari/537.36' -H 'Accept: > text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8' > -H 'Referer: https://www.example.com/order/new' -H 'Accept-Encoding: > gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9,es;q=0.8' -H > 'Cookie: _prefs-login-username=%22%22; _session=sgj9tdvgrc26m57atct02niat3' > --data > > 'csrf_token=1528995053-BrkRHVojxjfm5jmXVrK08SjLCo33daL2lHOPjosXweGZihQptAuqSwAKE6aNoWup&op=confirm&contdrugs-store=%5B%7B%22id%22%3A%221i75f9wlcaa2a6c7%22%2C%22ndc%22%3A%228576453101%22%2C%22description%22%3A%22TORGUGESIC-SA%22%2C%22strength%22%3A%222MG%2FML%22%2C%22dosage%22%3A%22Injection%22%2C%22package_size%22%3A%2210%22%2C%22units_of_measure%22%3A%22ml%22%2C%22quantity%22%3A%221%22%2C%22quantity_units%22%3A%22full+packages%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75fwwk6yf2c487%22%2C%22ndc%22%3A%22641228941%22%2C%22description%22%3A%22DIAZEPAM%22%2C%22strength%22%3A%225+MG%2FML%22%2C%22dosage%22%3A%22Solution%22%2C%22package_size%22%3A%2210%22%2C%22units_of_measure%22%3A%22ml%22%2C%22quantity%22%3A%221%22%2C%22quantity_units%22%3A%22full+packages%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75ftk3c0393b6a%22%2C%22ndc%22%3A%22856203310%22%2C%22description%22%3A%22TORBUTROL%22%2C%22strength%22%3A%2210MG%5C%5CML%22%2C%22dosage%22%3A%22Injection%22%2C%22packag > > > e_size%22%3A%2210%22%2C%22units_of_measure%22%3A%22ml%22%2C%22quantity%22%3A%222.5%22%2C%22quantity_units%22%3A%22ml%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75eew2wa8940aa%22%2C%22ndc%22%3A%221169507021%22%2C%22description%22%3A%22KETAMINE+HCL%22%2C%22strength%22%3A%2210MG%2FML%22%2C%22dosage%22%3A%22Injection%22%2C%22package_size%22%3A%2210%22%2C%22units_of_measure%22%3A%22ml%22%2C%22quantity%22%3A%222.29%22%2C%22quantity_units%22%3A%22ml%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75ezq4k0a504cd%22%2C%22ndc%22%3A%226157008101%22%2C%22description%22%3A%22TUSSIGON%22%2C%22strength%22%3A%221.5+MG-5+MG%22%2C%22dosage%22%3A%22Tablet%22%2C%22package_size%22%3A%22100%22%2C%22units_of_measure%22%3A%22ea%22%2C%22quantity%22%3A%223%22%2C%22quantity_units%22%3A%22full+packages%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75f28rfw2ed68a%22%2C%22ndc%22%3A%226157008101%22%2C%22description%22%3A%22TUSSIGON%22%2C%22strength%22%3A%221.5+MG-5+MG%22%2C%22dosage%22%3A%22T > > > ablet%22%2C%22package_size%22%3A%22100%22%2C%22units_of_measure%22%3A%22ea%22%2C%22quantity%22%3A%2268%22%2C%22quantity_units%22%3A%22ea%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75f5nnbwc3419d%22%2C%22ndc%22%3A%22856202660%22%2C%22description%22%3A%22BUTORPHANOL%22%2C%22strength%22%3A%225MG%22%2C%22dosage%22%3A%22Tablet%22%2C%22package_size%22%3A%22100%22%2C%22units_of_measure%22%3A%22ea%22%2C%22quantity%22%3A%2290%22%2C%22quantity_units%22%3A%22ea%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75ec40m257e4e4%22%2C%22ndc%22%3A%221169507021%22%2C%22description%22%3A%22KETAMINE+HCL%22%2C%22strength%22%3A%2210MG%2FML%22%2C%22dosage%22%3A%22Injection%22%2C%22package_size%22%3A%2210%22%2C%22units_of_measure%22%3A%22ml%22%2C%22quantity%22%3A%226%22%2C%22quantity_units%22%3A%22full+packages%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75fzeyre2104f3%22%2C%22ndc%22%3A%22641228941%22%2C%22description%22%3A%22DIAZEPAM%22%2C%22strength%22%3A%225+MG%2FML%22%2C%22dosage% > > > 22%3A%22Solution%22%2C%22package_size%22%3A%2210%22%2C%22units_of_measure%22%3A%22ml%22%2C%22quantity%22%3A%222.65%22%2C%22quantity_units%22%3A%22ml%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75g2unoy141ce6%22%2C%22ndc%22%3A%22409321312%22%2C%22description%22%3A%22DIAZEPAM%22%2C%22strength%22%3A%225+MG%2FML%22%2C%22dosage%22%3A%22Solution%22%2C%22package_size%22%3A%2210%22%2C%22units_of_measure%22%3A%22ml%22%2C%22quantity%22%3A%224%22%2C%22quantity_units%22%3A%22ml%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75gviq9434b93c%22%2C%22ndc%22%3A%224945278751%22%2C%22description%22%3A%22TRAMADOL+HCL%22%2C%22strength%22%3A%22Powder%22%2C%22dosage%22%3A%22Powder%22%2C%22package_size%22%3A%221%22%2C%22units_of_measure%22%3A%22gm%22%2C%22quantity%22%3A%220.125%22%2C%22quantity_units%22%3A%22gm%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75gztlgcfa0ae6%22%2C%22ndc%22%3A%224945278751%22%2C%22description%22%3A%22TRAMADOL+HCL%22%2C%22strength%22%3A%22Powder%22%2C%22dosa > > > ge%22%3A%22Powder%22%2C%22package_size%22%3A%221%22%2C%22units_of_measure%22%3A%22gm%22%2C%22quantity%22%3A%220.125%22%2C%22quantity_units%22%3A%22gm%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75h329z80f8112%22%2C%22ndc%22%3A%224945278751%22%2C%22description%22%3A%22TRAMADOL+HCL%22%2C%22strength%22%3A%22Powder%22%2C%22dosage%22%3A%22Powder%22%2C%22package_size%22%3A%221%22%2C%22units_of_measure%22%3A%22gm%22%2C%22quantity%22%3A%220.125%22%2C%22quantity_units%22%3A%22gm%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75hdpo0u382057%22%2C%22ndc%22%3A%224945278751%22%2C%22description%22%3A%22TRAMADOL+HCL%22%2C%22strength%22%3A%22Powder%22%2C%22dosage%22%3A%22Powder%22%2C%22package_size%22%3A%221%22%2C%22units_of_measure%22%3A%22gm%22%2C%22quantity%22%3A%220.06875%22%2C%22quantity_units%22%3A%22gm%22%2C%22notes%22%3A%22%22%7D%2C%7B%22id%22%3A%221i75he25ro68cccb%22%2C%22ndc%22%3A%226516262710%22%2C%22description%22%3A%22TRAMADOL+HYDROCHLORIDE%22%2C%22strength%22%3A%2250+ > > MG%22%2C%22dosage%22%3A%22Tablet%22%2C%22package_size%22%3A%22100%22%2C%22units_of_measure%22%3A%22ea%22%2C%22quantity%22%3A%2250.75%22%2C%22quantity_units%22%3A%22ea%22%2C%22notes%22%3A%22%22%7D%5D&pharmwaste-store=%5B%5D&contdrugs_weight=8&pharmwaste_weight=0&box_h=5&box_l=5&box_w=5' > --compressed > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > -- -- Chaim Sanders http://www.ChaimSanders.com
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
