Hello,
Before switching to the CWAF rules I was using the Atomicorp Realtime (Paid) rules with which I never experienced such error message.
Now, with the CWAF rules, for every WHMCS page I visit (no matter if it’s the client area or the admin area), I get a Execution error - PCRE limits exceeded (-8): (null).
I have already configured my modsec.conf with:
SecPcreMatchLimit 200000
SecPcreMatchLimitRecursion 200000
and my php.ini with:
pcre.backtrack_limit = 10000000
pcre.recursion_limit = 10000000
however the error still comes up. There’s also another user in WHT who’s experiencing the same issue - so I don’t think I’m alone.
Here’s the complete audit log (I have changed IPs, hostnames, cookie data for safety):
Rule 70e4528 [id "20020"][file "/var/cpanel/cwaf/rules/cwaf_05.conf"][line "45"] - Execution error - PCRE limits exceeded (-8): (null).
[02/Jan/2014:18:15:02 +0000] UsWspKINnKwAAVHoOW4AAABB 94.xxx.xxx.172 15879 162.xxx.xxx.172 443
--37febb21-B--
GET /admin-area-url/clients.php HTTP/1.1
Host: xxxxxx
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:26.0) Gecko/20100101 Firefox/26.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://xxxxx/admin-area-url/supporttickets.php
Cookie: sortdata=xxxxxxxxxxxx
Connection: keep-alive
--37febb21-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.23
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: WHMCSFD=xxxxxxxxxxxx; path=/; httponly
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
--37febb21-H--
Message: Rule 70e4528 [id "20020"][file "/var/cpanel/cwaf/rules/cwaf_05.conf"][line "45"] - Execution error - PCRE limits exceeded (-8): (null).
Stopwatch: 1388686500650444 1862140 (- - -)
Stopwatch2: 1388686500650444 1862140; combined=257009, p1=2509, p2=254233, p3=31, p4=194, p5=41, sr=0, sw=1, l=0, gc=0
Producer: ModSecurity for Apache/2.7.5 (http://www.modsecurity.org/).
Server: Apache
Engine-Mode: "ENABLED"
The rule itself is
SecRule REQUEST_HEADERS:Cookie "[at]rx ^(.*;)*=(;.*)*$" \
"id:20020,\
msg:'COMODO WAF: see rule description',\
phase:1,\
deny,\
status:403,\
log"
and line 45 is the “log” line.
PS: None of the Cookie or Set-Cookie data contain “[at]rx”.