Error compiling pattern (offset 0): regular expression too large

Hello ,
I am getting the following error when trying to install rules for WAF. how can I fix it ?

05/05/14 04:12:28 updater[27101] debug is ON, level = 10
05/05/14 04:12:28 updater[27101] create pid file
05/05/14 04:12:28 updater[27101] try to get data from CWAF server
05/05/14 04:12:28 updater[27101] lwp_params: timeout=60 sec, save_to_file flag: 0
05/05/14 04:12:29 updater[27101] normalize content
05/05/14 04:12:29 updater[27101] parse JSON from CWAF server
05/05/14 04:12:29 updater[27101] got answer from CWAF (OK)
05/05/14 04:12:29 updater[27101] save response
05/05/14 04:12:29 updater[27101] lwp_params: timeout=60 sec, save_to_file flag: 1
05/05/14 04:12:29 updater[27101] file has been downloaded successfully: cwaf_rules-1.06.tgz
05/05/14 04:12:29 updater[27101] /var/cpanel/cwaf/tmp/rules.tgz original md5sum - 8122f272045cc9a25c63ad15d599f2dd
05/05/14 04:12:29 updater[27101] /var/cpanel/cwaf/tmp/rules.tgz local md5sum - 8122f272045cc9a25c63ad15d599f2dd
05/05/14 04:12:29 updater[27101] file successfully saved (/var/cpanel/cwaf/tmp/rules.tgz)
05/05/14 04:12:29 updater[27101] make backup for previous rules version
05/05/14 04:12:29 updater[27101] workdir is /var/cpanel/cwaf/tmp/rules/workdir1
05/05/14 04:12:29 updater[27101] workdir is /var/cpanel/cwaf/tmp/rules/workdir1
05/05/14 04:12:29 updater[27101] prepare to remove directory /var/cpanel/cwaf/tmp/rules/workdir2
05/05/14 04:12:29 updater[27101] remove directory /var/cpanel/cwaf/tmp/rules/workdir2
05/05/14 04:12:30 updater[27101] set work directory (/var/cpanel/cwaf/tmp/rules/workdir2)
05/05/14 04:12:30 updater[27101] extract rules
05/05/14 04:12:30 updater[27101] ERROR: wrong syntax of apache config file
05/05/14 04:12:30 updater[27101] cpanel info: Configuration problem detected on line 58 of file /var/cpanel/cwaf/rules/cwaf_05.conf: Error creating rule: Error compiling pattern (offset 0): regular expression too large

--- /var/cpanel/cwaf/rules/cwaf_05.conf ---
52SecRule REQUEST_COOKIES "@rx a:[0-9]{4,}:{(.*R:.*){4000,}" \
53	"id:220000,\
54	msg:'COMODO WAF: found CVE 2007-1286 attack',\
55	phase:1,\
56	deny,\
57	status:504,\
58 ===> 	t:none"

<===
59SecRule REQUEST_LINE “@contains /includes/header.php”
60 "chain,
61 id:220010,
62 msg:‘COMODO WAF: found CVE-2008-2898 attack’,
63 phase:2,
64 deny,
— /var/cpanel/cwaf/rules/cwaf_05.conf —

05/05/14 04:12:30 updater[27101] apache httpd restart failed (try 1)
05/05/14 04:12:30 updater[27101] workdir is /var/cpanel/cwaf/tmp/rules/workdir2
05/05/14 04:12:30 updater[27101] set work directory (/var/cpanel/cwaf/tmp/rules/workdir1)
05/05/14 04:12:30 updater[27101] update failed, restore previous rules version
05/05/14 04:12:40 updater[27101] successful apache httpd restart
05/05/14 04:12:40 updater[27101] update successful
05/05/14 04:12:40 updater[27101] update process finished!

Hi,

You can try to add the following directives in your httpd.conf:

SecPcreMatchLimit 150000
SecPcreMatchLimitRecursion 150000

I already have these lines in my modsec2.conf :

SecRuleEngine On SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log SecDebugLog logs/modsec_debug.log SecDebugLogLevel 0 SecRequestBodyAccess On SecDataDir /tmp SecTmpDir /tmp SecPcreMatchLimit 150000 SecPcreMatchLimitRecursion 150000 Include "/var/cpanel/cwaf/etc/cwaf.conf"

Please, PM me your cwaf_05.conf as attachment, I’ll check it.

I am just trying to install standard rules version 1.06
You can see it in the first log I provided :

file has been downloaded successfully: cwaf_rules-1.06.tgz

the log also mentions which rule causes this error :

SecRule REQUEST_COOKIES "[at]rx a:[0-9]{4,}:{(.*R:.*){4000,}" \
   53   "id:220000,\
   54   msg:'COMODO WAF: found CVE 2007-1286 attack',\
   55   phase:1,\
   56   deny,\
   57   status:504,\
   58    t:none"

do you still need me to send you the cwaf_05.conf ?

I updated my mod_security and I was able to successfully install rules 1.08 , I believe problem was outdated mod_security.

Seems it was broken file.