Re: [mod-security-users] Don't understand why this rule is triggering - 973347

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

I've had a rule trigger as part of an webapp that sits in front of mod security.

The log entry is below, at first I though it was a issue with 

    SecPcreMatchLimit 1000
    SecPcreMatchLimitRecursion 1000

But setting these to 9999999999999999 to rule it out made no difference - and in actual fact even set to 1000 now it is fine.

I ended up excluding owsap rule 973347 from the page which seems to have fixed the issue.

Could anyone explain why? I don't see why the following request would trigger the rule in question.

--5b210061-A--
[20/Mar/2020:12:06:56 +0000] XnSx3xYuJtXNqpDeWlecIwAAABA 1.1.1.1 10752 10.0.39.10 443
--5b210061-B--
POST /webclient/secure/strategies/edit?scn=DURHAM0000025797 HTTP/1.1
Host: web.internet.info
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 6595
Origin: https://web.internet.info
Connection: keep-alive
Referer: ###############
Cookie: JSESSIONID=986ACBF183789B53A607AAA54283698F
Upgrade-Insecure-Requests: 1

--5b210061-C--
deleteStrategy=N&strategyRule=%7B%22data%22%3A%22AND%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225396%22%2C%22nodeType%22%3A%22OPERATOR%22%7D%2C%22children%22%3A%5B%7B%22data%22%3A%22test+12%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225370%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+11%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225369%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+10%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225368%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+9%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225367%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+8%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225366%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+7%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225365%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+12%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225370%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+8%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225366%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+11%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225369%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+12%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225370%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+11%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225369%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+10%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225368%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+9%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225367%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+8%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225366%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+7%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225365%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+6%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225364%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+5%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225363%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test+3%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225361%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test2%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225360%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%2C%7B%22data%22%3A%22test%22%2C%22state%22%3A%22leaf%22%2C%22attr%22%3A%7B%22systemCodeNumber%22%3A%225359%22%2C%22nodeType%22%3A%22EXPRESSION%22%7D%2C%22children%22%3A%5B%5D%7D%5D%7D&strategyResponse=%7B%22strategy%22%3A%22DURHAM0000025797%22%2C%22responseDuration%22%3A0%2C%22responseFixedPeriod%22%3A%22N%22%2C%22logOnly%22%3A%22N%22%2C%22activateOnStartup%22%3A%22N%22%2C%22confirmStart%22%3A%22S%22%2C%22confirmStartWhenFault%22%3A%22N%22%2C%22noStartWhenFault%22%3A%22N%22%2C%22informWhenStartFailure%22%3A%22S%22%2C%22stopWhenStartFailure%22%3A%22N%22%2C%22informWhenStopFailure%22%3A%22N%22%2C%22fixedPeriodEndConfirm%22%3A%22N%22%2C%22fxdPeriodEndConfirmRunOnTime%22%3A0%2C%22responseRunOn%22%3A%22N%22%2C%22fixedPeriodEndAutomaticRunOn%22%3A%22N%22%2C%22fixedPeriodEndAutoRunOnTime%22%3A0%2C%22fixedPeriodEndAutoRunOnCount%22%3A0%2C%22responseRuleNoLongerTrue%22%3A%22N%22%2C%22responseRuleNoLongerTrueTime%22%3A0%2C%22responseRepeatFixedPeriod%22%3A%22N%22%2C%22fixedPeriodRepeatCount%22%3A0%2C%22responseRunFixedPeriodOnly%22%3A%22N%22%2C%22defaultAfter%22%3A5%2C%22startOrder%22%3A%22A1044+%22%2C%22stopOrder%22%3A%22A1044+%22%2C%22readyForUse%22%3A%22N%22%2C%22createdBy%22%3A%22mm80700%22%2C%22creationDate%22%3A%22Mar+20%2C+2020+10%3A55%3A24+AM%22%2C%22createdByDataSource%22%3A%22MottMac%22%2C%22updatedBy%22%3A%22mm56570%22%2C%22lastUpdated%22%3A%22Mar+20%2C+2020+11%3A19%3A05+AM%22%2C%22modifiedByDataSource%22%3A%22MottMac%22%2C%22deleteResponse%22%3A%22N%22%2C%22evaluateOnStateChangeOnly%22%3A%22Y%22%2C%22evaluateOnDataUpdateOnly%22%3A%22N%22%2C%22systemCodeNumber%22%3A%226160%22%2C%22utmcType%22%3A%22RESPONSE_DEFINITION%22%2C%22userAcknowledgements%22%3A%5B%5D%7D&description=Ta+Test+Strategy+3&strategyType=Local&publishTo=Not+Published&bypassRuleEvaluation=N&responseDefinition.logOnly=N&responseDefinition.activateOnStartup=N&responseDefinition.confirmStart=S&responseDefinition.confirmStartWhenFault=N&responseDefinition.noStartWhenFault=N&responseDefinition.informWhenStartFailure=S&responseDefinition.stopWhenStartFailure=N&responseDefinition.informWhenStopFailure=N&responseDefinition.evaluateOnStateChangeOnly=Y&responseDefinition.evaluateOnDataUpdateOnly=N&responseDefinition.evaluateOnDataUpdateOnly=N&ruleEvaluation=on&_=on&_=on&_=on&_=on&responseDefinition.responseFixedPeriod=N&responseDefinition.responseDuration=0&responseDefinition.responseRunFixedPeriodOnly=N&responseDefinition.fixedPeriodEndConfirm=N&responseDefinition.fxdPeriodEndConfirmRunOnTime=0&responseDefinition.fixedPeriodEndAutomaticRunOn=N&responseDefinition.fixedPeriodEndAutoRunOnTime=0&responseDefinition.fixedPeriodEndAutoRunOnCount=0&responseDefinition.responseRepeatFixedPeriod=N&responseDefinition.fixedPeriodRepeatCount=0&responseDefinition.responseRuleNoLongerTrue=N&responseDefinition.responseRuleNoLongerTrueTime=0&responseDefinition.defaultAfter=5&excludeSpecialDaysFromSchedule=Y&_=on&furtherComments=+&location.easting=400000.0&location.northing=525000.0
--5b210061-F--
HTTP/1.1 403 Forbidden
Strict-Transport-Security: max-age=63072000; includeSubdomains;
X-Frame-Options: SAMEORIGIN
Content-Length: 234
Keep-Alive: timeout=5, max=96
Connection: Keep-Alive
Content-Type: text/html; charset=iso-8859-1

--5b210061-E--

--5b210061-H--
Message: Rule 56290b2ef638 [id "973347"][file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "504"] - Execution error - PCRE limits exceeded (-8): (null).
Message: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "40"] [id "200004"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 51.148.60.129] ModSecurity: Rule 56290b2ef638 [id "973347"][file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_xss_attacks.conf"][line "504"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "web.internet.info"] [uri "/webclient/secure/strategies/edit"] [unique_id "XnSx3xYuJtXNqpDeWlecIwAAABA"]
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 51.148.60.129] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "40"] [id "200004"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "web.internet.info"] [uri "/webclient/secure/strategies/edit"] [unique_id "XnSx3xYuJtXNqpDeWlecIwAAABA"]
Action: Intercepted (phase 2)
Apache-Handler: proxy-server
Stopwatch: 1584706015759030 619818 (- - -)
Stopwatch2: 1584706015759030 619818; combined=618588, p1=260, p2=618291, p3=0, p4=0, p5=37, sr=108, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.9.
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips
Engine-Mode: "ENABLED"

--5b210061-Z--

Thanks for any help.

Joe.