Question Atomicorp WAF // 345114 "log4j"

[rammstein]

Unfortunately, I have problems with this rule on some websites, and a question about the "best" solution to this problem.

The rule exits with the following error:

Execution error - PCRE limits exceeded (-8)

The reason and the solution for this are relatively clear:

This message means that the locally configured internal limit was been exceeded in modsecurity. This limit is used to prevent a special type of DOS attack on the WAF itself. This is not caused by any of the Atomicorp rules. If you are using third party rules, please contact the rules developers for assistance.

When using just the Atomicorp rules, this error is caused by the following settings:

SecPcreMatchLimit

SecPcreMatchLimitRecursion

They limit the degree to which modsecurity will inspect content. This error means that modsecurity has stopped inspecting the content because the content itself has exceeded these limits. If your system is generating these kinds of errors, generally just need to increase the limits higher on your system as explained below.

It is also possible this is occurring due to an actual DOS attack on your system. If you are certain this is not a DOS attack, simply increase these limits accordingly for your system. We recommend a minimum of 250000 for a modern system, then restart your web server.

SecPcreMatchLimit 250000
SecPcreMatchLimitRecursion 250000

Source: https://support.atomicorp.com/hc/en...-execution-error-PCRE-limits-exceeded-8-null-

But how do I do this in Plesk so that it is update safe and not overwritten during an update?

Can I just put it here, under "Custom directives"? (Tools & Settings -> WAF -> Settings)

Source: Web Application Firewall (ModSecurity)


Thanks for any advice!

 

[weltonw]

Yes, you can. That rule has cause quite a few issues for us FWIW though.