Page 1 of 1
PCRE limits exceeded
Posted: Wed Nov 06, 2013 5:26 pm
by DarkF@der
A WordPress client get these errors when editing general files.
Code: Select all
[Wed Nov 06 21:02:19 2013] [error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]
What this means...?
Greets
Re: PCRE limits exceeded
Posted: Wed Nov 06, 2013 9:09 pm
by mikeshinn
Nothing you need to do. You can ignore that. Its an internal condition, and something that will be addressed in a future update of those rules. It has no impact on your system.
Re: PCRE limits exceeded
Posted: Thu Nov 07, 2013 4:33 am
by DarkF@der
I like to ignore it but it's a level 14 nd you get shunned.
I also notice al lot off people with a iframe get shunned. And even when you upgrade wordpress you get shunned.
I this rule new?
Re: PCRE limits exceeded
Posted: Thu Nov 07, 2013 4:59 am
by mikeshinn
Are you sure that alert is level 14? That should come up as a level 0, its a generic error.
# /var/ossec/bin/ossec-logtest
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/01-asl-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/10-asl-drupal-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-exim-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/50-asl-waf-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Reading decoder file etc/decoders.d/75-asl-deltaadmin-decoder.xml.
2013/11/07 03:57:54 ossec-testrule: INFO: Started (pid: 15152).
ossec-testrule: Type one log per line.
[Wed Nov 06 21:02:19 2013] [error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]
**Phase 1: Completed pre-decoding.
full event: '[Wed Nov 06 21:02:19 2013] [error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]'
hostname: 'www'
program_name: '(null)'
log: '[error] [client xxx.xxx.xxx.xx] ModSecurity: Rule 7f366e423cb8 [id "373763"][file "/etc/httpd/modsecurity.d/98_asl_adv_redactor.conf"][line "69"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "xxxxxxxxxxxxxxxx.xx"] [uri "/wp-admin/options-general.php"] [unique_id "UnqgS1fDTxQAAH74dCEAAAAP"]'
**Phase 2: Completed decoding.
decoder: 'apache-errorlog'
**Phase 3: Completed filtering (rules).
Rule id: '30101'
Level: '0'
Description: 'Apache error messages grouped.'
Re: PCRE limits exceeded
Posted: Thu Nov 07, 2013 5:05 am
by DarkF@der
Re: PCRE limits exceeded
Posted: Thu Nov 07, 2013 5:07 am
by mikeshinn
Somethings not right with your rules, whats the output of this command:
aum -uf
And does this continue after that? If it does, whats the output of this command:
cat /etc/asl/rules
Re: PCRE limits exceeded
Posted: Thu Nov 07, 2013 6:42 am
by prupert
This rule 373763 is part of MODSEC_98_ADV_REDACTOR, which should not have been enabled on your system (unless you have specifically done so). See also
https://www.atomicorp.com/wiki/index.ph ... actor.conf
We are under the suspicion that an error in an ASL rule update has caused this rule set to be enabled. This has caused a very significant number of false positives, mainly by rules 373763 and 373764.
I recommend every ASL admin to make sure their rules are updated ("aum -uf"), and manually confirm that MODSEC_98_ADV_REDACTOR is disabled in /etc/asl/config, and thus that 98_asl_adv_redactor.conf is not listed in /etc/httpd/modsecurity.d/.
