used atomic mod-security but still pcre error

Community support forums for the free/delayed modsecurity rules feed. There is no such thing as a bad question here as long as it pertains to using the delayed modsecurity rules feed. Newbies feel free to get help getting started or asking questions that may be obvious.
erwin123
New Forum User
New Forum User
Posts: 3
Joined: Thu Oct 11, 2012 3:37 pm
Location: netherlands

used atomic mod-security but still pcre error

Unread post by erwin123 »

Hi,

I just installed the atomic mod_security the simple way:
wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh

To my suprise i get the Rule execution error – PCRE limits exceeded (-8): (null) error in my audit log.
I've not seen this on simular servers using the same method.

Is this a bug in a the current package?
Is there a safe and simple way to solve this?
I've now disabled the rootkits rules since these seem to trigger them.

btw, I tried the advised whay of adding pcre limits in php.ini, but this had no effect...

Thanks in advance!
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: used atomic mod-security but still pcre error

Unread post by mikeshinn »

The modsecurity project broken something upstream thats causing these errors. You'll need to add in the workaround for now until they fix that bug upstream.

SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

And if thats not high enough for you, you'll have to increase the limits. Your other option is use 2.6.7 which does not have this bug. The differences between 2.6.7 and 2.6.8 are minor, and there are no security fixes in 2.6.8 so you can safely use 2.6.7.
erwin123
New Forum User
New Forum User
Posts: 3
Joined: Thu Oct 11, 2012 3:37 pm
Location: netherlands

Re: used atomic mod-security but still pcre error

Unread post by erwin123 »

Hi Mike, thanks for your answer, and thank you for your great work.
I'm currently testing modsecurity and will possibly get the whole ASL package in the future for all our servers.
So far things have been above expectations.

I added :
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

To the php.ini but that made no difference, so I'll try and raise it.
The wiki also mentioned you need to edit another file 'modsec2.user.conf' but I cannot find this file anywhere.

If there's an easy whay of downgrading modsecurity I prefer that, but don't know how.
erwin123
New Forum User
New Forum User
Posts: 3
Joined: Thu Oct 11, 2012 3:37 pm
Location: netherlands

Re: used atomic mod-security but still pcre error

Unread post by erwin123 »

It looks like I found the source of my problemens..
I copy/pasted the tortix rules but something went wrong with that halfway the file.
It seems to be solved now :)
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: used atomic mod-security but still pcre error

Unread post by mikeshinn »

To the php.ini but that made no difference, so I'll try and raise it.
Those two settings go in your modsecurity configuration file, not php.ini. So if you didnt add them to the modsecurity configuration, they wont do anything. If you did, then you may need to raise them.
Post Reply