I'm new to ModSecurity and trying to evaluate it on my local environment:
- CentOS 7
- Apache 2.4.6
- Mod Security 2.9.3
- CRS 3.3.2
I'm getting the following ModSec false positive for our 404 error page, this is a very basic page that just contains a small amount of text and an image '/assets/warning.png'.
Wed Apr 20 11:24:36.137728 2022] [:error] [pid 19154] [client xxx.xxx.xxx.xxx:61967] [client xxx.xxx.xxx.xxx] ModSecurity: Rule 55dfceb2c9b0 [id "-"][file "/etc/httpd/coreruleset-3.3.2/rules/RESPONSE-951-DATA-LEAKAGES-SQL.conf"][line "92"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "mydomain.com"] [uri "/404"]
It seems to be the image that's causing the problem, if I remove it I don't get the modsec alerts.
I can't figure how to create an exclusion for this false positive, I've tried the following (in /etc/httpd/coreruleset-3.3.2/rules/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf), but no luck:
SecRuleUpdateTargetById 951120 "!ARGS_NAMES:/warning.png/"
CodePudding user response:
OWASP ModSecurity Core Rule Set dev-on-duty here. You got this almost right, but not quite.
The problem is actually not very severe. It just tells you that the PCRE limit has been reached. This is annoying for your logs, but the WAF continues to work as intended.
The problem with your rule exclusion is that you do not know which parameter has been causing the problem. The alert does not tell you. I suggest you employ a path-based rule exclusion for 951120. Check out the tutorials at netnea.com/cms/apache-tutorials/ to learn how to do that.