PCRE limits exceeded

[DarkF@der]

A WordPress client get these errors when editing general files.

Code: Select all

[Wed Nov 06 21:02:19 2013] [error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"] 

What this means...?

Greets

[mikeshinn]

Nothing you need to do. You can ignore that. Its an internal condition, and something that will be addressed in a future update of those rules. It has no impact on your system.

[DarkF@der]

I like to ignore it but it's a level 14 nd you get shunned.
I also notice al lot off people with a iframe get shunned. And even when you upgrade wordpress you get shunned.
I this rule new?

[mikeshinn]

Are you sure that alert is level 14? That should come up as a level 0, its a generic error.

# /var/ossec/bin/ossec-logtest
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Started (pid: 15152).
ossec-testrule: Type one log per line.

[Wed Nov 06 21:02:19 2013] [error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]


**Phase 1: Completed pre-decoding.
full event: '[Wed Nov 06 21:02:19 2013] [error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]'
hostname: 'www'
program_name: '(null)'
log: '[error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]'

**Phase 2: Completed decoding.
decoder: 'apache-errorlog'

**Phase 3: Completed filtering (rules).
Rule id: '30101'
Level: '0'
Description: 'Apache error messages grouped.'

[DarkF@der]

[mikeshinn]

Somethings not right with your rules, whats the output of this command:

aum -uf

And does this continue after that? If it does, whats the output of this command:

cat /etc/asl/rules

[prupert]

This rule 373763 is part of MODSEC_98_ADV_REDACTOR, which should not have been enabled on your system (unless you have specifically done so). See also https://www.atomicorp.com/wiki/index.ph ... actor.conf

We are under the suspicion that an error in an ASL rule update has caused this rule set to be enabled. This has caused a very significant number of false positives, mainly by rules 373763 and 373764.

I recommend every ASL admin to make sure their rules are updated ("aum -uf"), and manually confirm that MODSEC_98_ADV_REDACTOR is disabled in /etc/asl/config, and thus that 98_asl_adv_redactor.conf is not listed in /etc/httpd/modsecurity.d/.