Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle.
DarkF@der
Forum Regular
Posts: 313 Joined: Thu May 07, 2009 12:46 pm
Unread post
by DarkF@der » Wed Nov 06, 2013 5:26 pm
A WordPress client get these errors when editing general files.
Code: Select all
[Wed Nov 06 21:02:19 2013] [error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]
What this means...?
Greets
mikeshinn
Atomicorp Staff - Site Admin
Posts: 4149 Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA
Unread post
by mikeshinn » Wed Nov 06, 2013 9:09 pm
Nothing you need to do. You can ignore that. Its an internal condition, and something that will be addressed in a future update of those rules. It has no impact on your system.
DarkF@der
Forum Regular
Posts: 313 Joined: Thu May 07, 2009 12:46 pm
Unread post
by DarkF@der » Thu Nov 07, 2013 4:33 am
I like to ignore it but it's a level 14 nd you get shunned.
I also notice al lot off people with a iframe get shunned. And even when you upgrade wordpress you get shunned.
I this rule new?
mikeshinn
Atomicorp Staff - Site Admin
Posts: 4149 Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA
Unread post
by mikeshinn » Thu Nov 07, 2013 4:59 am
Are you sure that alert is level 14? That should come up as a level 0, its a generic error.
# /var/ossec/bin/ossec-logtest
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Started (pid: 15152).
ossec-testrule: Type one log per line.
[Wed Nov 06 21:02:19 2013] [error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]
**Phase 1: Completed pre-decoding.
full event: '[Wed Nov 06 21:02:19 2013] [error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]'
hostname: 'www'
program_name: '(null)'
log: '[error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
**Phase 3: Completed filtering (rules).
Rule id: '30101'
Level: '0'
Description: 'Apache error messages grouped.'
mikeshinn
Atomicorp Staff - Site Admin
Posts: 4149 Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA
Unread post
by mikeshinn » Thu Nov 07, 2013 5:07 am
Somethings not right with your rules, whats the output of this command:
aum -uf
And does this continue after that? If it does, whats the output of this command:
cat /etc/asl/rules
prupert
Forum Regular
Posts: 573 Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands
Unread post
by prupert » Thu Nov 07, 2013 6:42 am
This rule 373763 is part of MODSEC_98_ADV_REDACTOR, which should not have been enabled on your system (unless you have specifically done so). See also
https://www.atomicorp.com/wiki/index.ph ... actor.conf
We are under the suspicion that an error in an ASL rule update has caused this rule set to be enabled. This has caused a very significant number of false positives, mainly by rules 373763 and 373764.
I recommend every ASL admin to make sure their rules are updated ("aum -uf"), and manually confirm that MODSEC_98_ADV_REDACTOR is disabled in /etc/asl/config, and thus that 98_asl_adv_redactor.conf is not listed in /etc/httpd/modsecurity.d/.