Atomicorp

Hi,

I just installed the atomic mod_security the simple way:
wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh

To my suprise i get the Rule execution error – PCRE limits exceeded (-8): (null) error in my audit log.
I've not seen this on simular servers using the same method.

Is this a bug in a the current package?
Is there a safe and simple way to solve this?
I've now disabled the rootkits rules since these seem to trigger them.

btw, I tried the advised whay of adding pcre limits in php.ini, but this had no effect...

Thanks in advance!

The modsecurity project broken something upstream thats causing these errors. You'll need to add in the workaround for now until they fix that bug upstream.

SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

And if thats not high enough for you, you'll have to increase the limits. Your other option is use 2.6.7 which does not have this bug. The differences between 2.6.7 and 2.6.8 are minor, and there are no security fixes in 2.6.8 so you can safely use 2.6.7.

Hi Mike, thanks for your answer, and thank you for your great work.
I'm currently testing modsecurity and will possibly get the whole ASL package in the future for all our servers.
So far things have been above expectations.

I added :
SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

To the php.ini but that made no difference, so I'll try and raise it.
The wiki also mentioned you need to edit another file 'modsec2.user.conf' but I cannot find this file anywhere.

If there's an easy whay of downgrading modsecurity I prefer that, but don't know how.

It looks like I found the source of my problemens..
I copy/pasted the tortix rules but something went wrong with that halfway the file.
It seems to be solved now

To the php.ini but that made no difference, so I'll try and raise it.

Those two settings go in your modsecurity configuration file, not php.ini. So if you didnt add them to the modsecurity configuration, they wont do anything. If you did, then you may need to raise them.