Re: [mod-security-users] Execution error - PCRE limits exceeded (-8): (null)
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] Execution error - PCRE limits exceeded (-8): (null)
|
From: Walter H. <mo...@sp...> - 2021-10-27 12:29:32
|
Hi Filip, This error can happen if ModSecurity’s regular expression engine (PCRE) is doing more work than the allowed limit. ModSecurity then stops running the rule. It could be that somebody sent a really complex or large request to your machine (if the error happened in a request rule). Or perhaps, your page or response returned was really large (if the error happened in a response rule). The reason for this limit is to prevent a DoS on your server by sending malicious payloads (or eliciting complex responses) that stress the regular expression engine and eat up all your CPU time. So it is smart to keep a limit on the regex work. But often you will need to raise the PCRE limits to a level that the errors are gone or almost gone. You can define ModSecurity’s PCRE limits in your mod_security2.conf with the commands SecPcreMatchLimit and SecPcreMatchLimitRecursion. For instance, you could set them as follows: SecPcreMatchLimit 100000 SecPcreMatchLimitRecursion 100000 I personally have not needed to set them any higher than 100000. But I know that some use higher values, such as 200000 or 250000. These numbers are passed by ModSecurity to the PCRE library. For in-depth information about how it uses these numbers, please see http://pcre.org/original/doc/html/pcreapi.html <http://pcre.org/original/doc/html/pcreapi.html> and look for ‘limits’. Another angle is to look at the log file to see which rule exceeded the limit. It is possible that you might not need that rule. For instance, I often received your same error on Core Rule Set’s 951190 rule. That rule prevents Ingres SQL information leakages. I don’t use Ingres ever. So, instead of raising the PCRE limits even more, I just disable that rule. You can disable a rule by adding the following to your .conf file: SecRuleRemoveById 123456 Where 123456 is the rule ID that you want to disable. Note that disabling rules might open up attack vectors, so always do this carefully. Hope this helps! Kind regards, Walter Hop Core Rule Set co-lead > On 27 Oct 2021, at 12:37, Filip Bartmann <fi...@ce...> wrote: > > Hello, > I starting to use mod_security for Apache2 with crs and in log i many times see: > > Execution error - PCRE limits exceeded (-8): (null) > > How can I prevent this? > > Thanks, > Filip Bartmann > > > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ |
