OWASP REQUEST-942 ModSecurity Issue
Here I go again about ModSecurity and OWASP rules again… lol…
I know, I should install CSF but as they are out of business and Cpanel perhaps comes up with an option for it next year, better wait a little more and make necessary changes only once.
I’ve been using all OWASP 3.0 set rules (all 22) for few months after to block not only attacks but for reducing useless traffic that was draining server resources and it’s been doing a good job so far.
A couple of days ago after upgrading Wordpress and Woocommerce to their latest version, I could see a few lsapi errors nothing that really could call my attention.
Yesterday, I saw quite a lot of real visitors log entries under ModSecurity: Rule 558088d56600 [id "942360"][file "/etc/apache2/conf.d/modsec_vendor_configs/OWASP3/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"][line "81"] - Execution error - PCRE limits exceeded (-47): (null)
Today, log was flooded with same errors, including my personal internet connection IP. Server load was pretty high due lsphp processes and only reached normal levels when I’ve disabled OWASP rules.
Tried to search around and could find any info about those upgrades that could cause it and as far as I could see, there was not an OWASP set rules upgrade recently.
-
Hey hey! The last ModSecurity update was November 20th, but that specific rule has been in place forever. If the attack isn't legitimate you may need to whitelist that specific rule so the site functions normally.
If you have modified the SecPcreMatchLimit or SecPcreMatchLimitRecursion values mentioned here https://docs.cpanel.net/whm/security-center/modsecurity-configuration/ that could also be causing that issue as well.
0 -
What's pretty strange is my modsec2.user.conf is blank, so everything default.
Also strange that my self was getting caught by this rule when clicking around Wordpress admin pages. I'm mean, I wasn't even running any routine or nothing.
0 -
I don't have a great explanation, other than maybe that rule is just a bit overprotective and needs to be whitelisted.
0 -
Hi,
The default values for the PCRE Match limit are very, very low with ModSecurity. You can got to 500K usually without harming your set. But for your information: The PCRE Match limit is meant to reduce the chance for a DoS attack via Regular Expressions. So by raising the limit you raise your vulnerability in this regard, but the PCRE errors are much worse from a security perspective.
SecPcreMatchLimit 1500 (Default)
SecPcreMatchLimitRecursion 1500 (Default)Try to slowly increase the two values, making them equal until you get no errors.
This problem also arose for me with the security mod 2.9.10 update and OWASP
I solved it by slightly increasing the two values
SecPcreMatchLimit 20000
SecPcreMatchLimitRecursion 200000 -
ciao70 keep in mind that further down in that Atomicorp document they actually suggest even higher on a modern system. Of course, if you don't get any errors with 20000 then no need to raise it. And I trust Atomicorp over pretty much anyone. Been using their rules for more than a decade.
SecPcreMatchLimit 250000 SecPcreMatchLimitRecursion 250000
0 -
Of course, considering that those values are set to 1500 by default on Modsecurity, it's not necessary to increase them too much. I gradually increased them until the warning disappeared. Obviously, I kept the value a little higher. ;)
0 -
Thank you all for your comments. I'm going to give a shot on that and let's see how it goes.
0
Please sign in to leave a comment.
Comments
7 comments