Good evening,
i'm trying to make work modsecurity with core rule set 2.2.4 but i have very
strange behaviors. If i enable modsecurity, i cannot access my blog (WordPress
3.3.2) and i get a 403 error and my logs are full with these things:
[Mon Jun 04 21:10:32 2012] [error] [client 93.148.109.162] ModSecurity: Rule
b5fcf270 [id "950901"][file
"/usr/share/modsecurity-crs_2.2.4/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line
"77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname
"blog.carlopoliti.net"] [uri "/wp-admin/admin.php"] [unique_id
"T80kSH8AAAEAAGPFKCMAAAAH"]
[Mon Jun 04 21:10:32 2012] [error] [client 93.148.109.162] ModSecurity: Rule
b5fcf270 [id "950901"][file
"/usr/share/modsecurity-crs_2.2.4/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line
"77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname
"blog.carlopoliti.net"] [uri "/wp-admin/admin.php"] [unique_id
"T80kSH8AAAEAAGPFKCMAAAAH"]
[Mon Jun 04 21:10:32 2012] [error] [client 93.148.109.162] ModSecurity: Rule
b5fcf270 [id "950901"][file
"/usr/share/modsecurity-crs_2.2.4/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"][line
"77"] - Execution error - PCRE limits exceeded (-8): (null). [hostname
"blog.carlopoliti.net"] [uri "/wp-admin/admin.php"] [unique_id
"T80kSH8AAAEAAGPFKCMAAAAH"]
[Mon Jun 04 21:10:32 2012] [error] [client 93.148.109.162]
ModSecurity: Access denied with code 403 (phase 2). Pattern match
"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){8,}"
at REQUEST_COOKIES:wp-settings-1. [file
"/usr/share/modsecurity-crs_2.2.4/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "169"] [id "981172"] [rev "2.2.4"] [msg "Restricted SQL Character
Anomaly Detection Alert - Total # of special characters exceeded"] [data "=o"]
[hostname "blog.carlopoliti.net"] [uri "/wp-admin/admin.php"] [unique_id
"T80kSH8AAAEAAGPFKCMAAAAH"]
[Mon Jun 04 21:10:33 2012] [error] [client 93.148.109.162] ModSecurity: Unable
to retrieve collection (name "global", key "global"). Use SecDataDir to define
data directory first. [hostname "blog.carlopoliti.net"] [uri
"/custompage/404.css"] [unique_id "T80kSX8AAAEAAGPFKCQAAAAH"]
[Mon Jun 04 21:10:33 2012] [error] [client 93.148.109.162]
ModSecurity: Access denied with code 403 (phase 2). Pattern match
"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){8,}"
at REQUEST_COOKIES:wp-settings-1. [file
"/usr/share/modsecurity-crs_2.2.4/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "169"] [id "981172"] [rev "2.2.4"] [msg "Restricted SQL Character
Anomaly Detection Alert - Total # of special characters exceeded"] [data "=o"]
[hostname "blog.carlopoliti.net"] [uri "/custompage/404.css"] [unique_id
"T80kSX8AAAEAAGPFKCQAAAAH"]
[Mon Jun 04 21:10:33 2012] [error] [client 93.148.109.162]
ModSecurity: Access denied with code 403 (phase 2). Pattern match
"([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*){8,}"
at REQUEST_COOKIES:wp-settings-1. [file
"/usr/share/modsecurity-crs_2.2.4/base_rules/modsecurity_crs_41_sql_injection_attacks.conf"]
[line "169"] [id "981172"] [rev "2.2.4"] [msg "Restricted SQL Character
Anomaly Detection Alert - Total # of special characters exceeded"] [data "=o"]
[hostname "blog.carlopoliti.net"] [uri "/custompage/emailCP.png"] [unique_id
"T80kSX8AAAEAAGPfLVoAAAAI"]
I have tried to disable these 2 lines and now all works (it seems so) but i'm
wondering if there is a way to make it work or i have to disable the line 77
and 169 of file modsecurity_crs_41_sql_injection_attacks.conf?
Thanks
--
Carlo Politi
eMail: [email protected]
www: http://www.carlopoliti.net/
blog: http://blog.carlopoliti.net/
_______________________________________________
Owasp-modsecurity-core-rule-set mailing list
[email protected]
https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
