PCRE limit exceeded

[quenenni]

Server: Debian Wheezy
libapache2-mod-security2: v2.8.0-2~bpo70+1
modsec rules: v3

---

On our new server, with for the moment only few low traffic websites, I have lots of "PCRE limits exceeded".
On our old server, I thought it normal as it was not a powerful one anymore and lots of websites on it.

But here, I wonder why I have so many.

I already updated the directives SecPcreMatchLimit & SecPcreMatchLimitRecursion to 2000 to see if there is a difference.

And I'm afraid that it will become a problem later when all the websites will have been migrated on this new server.

The rules that generate these PCRE errors are:
(between () is the number of times for each)

"/etc/modsecurity/RESPONSE-51-DATA-LEAKAGES-SQL.conf"][line "100"] -> id:951120 (131)
"/etc/modsecurity/RESPONSE-51-DATA-LEAKAGES-SQL.conf"][line "280"] -> id:951180 (19)
"/etc/modsecurity/RESPONSE-51-DATA-LEAKAGES-SQL.conf"][line "311"] -> id:951190 (122)
"/etc/modsecurity/RESPONSE-51-DATA-LEAKAGES-SQL.conf"][line "372"] -> id:951210 (122)
"/etc/modsecurity/RESPONSE-51-DATA-LEAKAGES-SQL.conf"][line "402"] -> id:951220  (138)
"/etc/modsecurity/RESPONSE-51-DATA-LEAKAGES-SQL.conf"][line "432"] -> id:951230 (122)
"/etc/modsecurity/RESPONSE-51-DATA-LEAKAGES-SQL.conf"][line "462"] -> id:951240 (122)
"/etc/modsecurity/RESPONSE-51-DATA-LEAKAGES-SQL.conf"][line "492"] -> id:951250 (131)
"/etc/modsecurity/RESPONSE-51-DATA-LEAKAGES-SQL.conf"][line "522"] -> id:951260 (122)

Total: 1029 out of 1144

"/etc/modsecurity/REQUEST-41-APPLICATION-ATTACK-XSS.conf"][line "211"] -> id:941140 (12)
"/etc/modsecurity/REQUEST-41-APPLICATION-ATTACK-XSS.conf"][line "249"] -> id:941150 (6)
"/etc/modsecurity/REQUEST-41-APPLICATION-ATTACK-XSS.conf"][line "286"] -> id:941160 (20)
"/etc/modsecurity/REQUEST-41-APPLICATION-ATTACK-XSS.conf"][line "415"] -> id:941200 (16)
"/etc/modsecurity/REQUEST-41-APPLICATION-ATTACK-XSS.conf"][line "739"] -> id:941310 (24)
"/etc/modsecurity/REQUEST-41-APPLICATION-ATTACK-XSS.conf"][line "856"] -> id:941330 (16)

Total: 94 out of 1144

"/etc/modsecurity/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"][line "242"] -> id:942240 (7)
"/etc/modsecurity/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"][line "265"] -> id:942250 (7)
"/etc/modsecurity/REQUEST-42-APPLICATION-ATTACK-SQLI.conf"][line "617"] -> id:942210 (7)

Total: 21 out of 1144

Can I change the directives SecPcreMatchLimit & SecPcreMatchLimitRecursion to a higher number?
Won't be that a problem for performances later when the server will have plenty of websites?

Is there any other variable I can play with?

I attached modsec logs for each of these errors.

PCRE-REQUEST-41-APPLICATION-ATTACK-XSS.txt
PCRE-REQUEST-42-APPLICATION-ATTACK-SQLI.txt
PCRE-RESPONSE-51-DATA-LEAKAGES-SQL.txt

[zimmerle]

Hi @quenenni,

Are you running Apache altogether with PHP and ModSecurity ?

Do you mind to share your ModSecurity's initialization lines? You can find those in your error log, just after restart the server.

[quenenni]

@zimmerle : of course, all you need..

Yes, Apache / Php & Modsec.

[Sat Jul 02 10:05:13 2016] [warn] Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Sat Jul 02 10:05:14 2016] [notice] ModSecurity for Apache/2.8.0 (http://www.modsecurity.org/) configured.
[Sat Jul 02 10:05:14 2016] [notice] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6"
[Sat Jul 02 10:05:14 2016] [notice] ModSecurity: PCRE compiled version="8.30 "; loaded version="8.30 2012-02-04"
[Sat Jul 02 10:05:14 2016] [notice] ModSecurity: LUA compiled version="Lua 5.1"
[Sat Jul 02 10:05:14 2016] [notice] ModSecurity: LIBXML compiled version="2.8.0"
[Sat Jul 02 10:05:14 2016] [notice] ModSecurity: StatusEngine call: "2.8.0,Apache,1.4.6/1.4.6,8.30/8.30 2012-02-04,Lua 5.1,2.8.0,87"
[Sat Jul 02 10:05:14 2016] [notice] ModSecurity: StatusEngine call successfully sent. For more information visit: http://status.modsecurity.org/
[Sat Jul 02 10:05:14 2016] [notice] FastCGI: process manager initialized (pid 10440)
[Sat Jul 02 10:05:15 2016] [notice] Apache/2.2.22 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 PHP/5.4.45-0+deb7u4 mod_ssl/2.2.22 OpenSSL/1.0.1e configured -- resuming normal operations

If you need more infos, don't hesitate to ask.

Thanks

[quenenni]

I noticed that our PCRE version (libpcre3) is quite old (v8.30 - 2012-02-04).
Is that the reason behind the problems I have?
Unfortunately, no libpcre3 package available in wheezy-backports.
Debian Jessie proposes v8.35-3.3+deb8u4
But as libpcre depends from libc6, it's not possible to install it while we are still on Debian Weezy.

If it's indeed the case, libpcre3 too old, well, we'll do with it.
If you see another possible reason, I'll gladly hear it.

Thanks

[zimmerle]

Hi @quenenni,

The old version of pcre should not be a problem, I was more concerned about a version mismatch. In case of a version mismatch (Apache and ModSecurity using different versions) weird behavior is expected.

ModSecurity shares the Apache memory space with every other modules, so it is possible that a second module is reducing the PCRE limits. It worth to check.