mod_security TX:MSC_PCRE_LIMITS_EXCEEDED

14th October 2018 anthony
1 Comment
Technology

Sunday morning, nothing working, *waves fist*. I am working my way through logs and finding rule after rule being triggered and adding them to a not use list. The common factor in all of these appears to be ModSecurity and TX:MSC_PCRE_LIMITS_EXCEEDED .

After realising that turning off rules it is presenting is becoming a tiring task and getting me nowhere - it becomes apparent that the error message is a lot more about mod_security than it is the rules it is running into.

The machine in question was running Plesk, and the error mod_security / WAF log can be found here:

/var/log/modsec_audit.log

An  abstract might look a little like this:

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Rule 5564c42b66d0 [id "225200"][file "/etc/httpd/conf/modsecurity.d/rules/provider/28_Apps_WordPress.conf"][line "154"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "domain.tld"] [uri "/wp-admin/load-styles.php"] [unique_id "W8MCLFRUeqGf81MxuVB48AAAAMM"]

Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 123.123.123.123] ModSecurity: Access denied with code 403 (phase 2). Match of "streq 0" against "TX:MSC_PCRE_LIMITS_EXCEEDED" required. [file "/etc/httpd/conf.d/mod_security.conf"] [line "40"] [id "200004"] [msg "ModSecurity internal error flagged: TX:MSC_PCRE_LIMITS_EXCEEDED"] [hostname "domain.tld"] [uri "/wp-admin/load-styles.php"] [unique_id "W8MCLFRUeqGf81MxuVB48AAAAMM"]

The issue is down to Mod_Security as opposed to rules that are being read.

I am guessing the lower number is intended to prevent it from becoming swamped and essentially forming a DoS.

The good news is, however - increasing the number resolves the problem.

Happy days.

So - with this in mind:

/etc/httpd/conf.d/mod_security.conf

Locate the following values:

SecPcreMatchLimit 1000
SecPcreMatchLimitRecursion 1000

Update these to something more like:

SecPcreMatchLimit 50000
SecPcreMatchLimitRecursion 50000

Now restart the web services involved - so in this case, this will be:

service nginx restart

service httpd restart

Now, its time for tea, medals, and on with Sunday having boxed off the stress of Y U NO WORK?!

 

Random
Random

One Response to “mod_security TX:MSC_PCRE_LIMITS_EXCEEDED

  • anthony
    5 years ago
    Reply

    Wow – okay – strike that – make that 500,000 (without the comma) – still exhausting on Monday.

Leave a Reply

Your email address will not be published. Required fields are marked *

Flickr Photos

Buttons and LightsButtons and LightsButtons and LightsColours and curves.Colours and curves.Colours and curves.
More Photos
%d bloggers like this: