This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Execution error

Hi Guy's,

Can someone tell me what this log means? what the Execution error means in this log?

 

httpd[16888]: [security2:error] [pid 16888:tid 3928107888] [client 46.XX.168.67] ModSecurity: Rule 1008f2a8 [id "981243"][file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.mydomain.com"] [uri "/worldsome/default.aspx"] [unique_id "Wl-X5D7dx7gAAEH4sNcAAAAY"]

 

I have a lots of this entry in the logs and the website www.mydomain.com is very slow, I did blockhol this IP.

 

Thanks



This thread was automatically locked due to age.
  • This is a question about Webserver Security, so I'll move it to that forum.

    What happens if you disable the rule #981243?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Thanks for moving the question to the right forum.

    this is not a false positive, we know this IP is from a country that should not have intres in this web site, so we did block the access from this IP coz the website was really slowing down.

    we would like to know what this log means? is this means that the UTM has drop the connection or the Execution Error means that utm couldn't do his job.

    Thanks

  • I don't think that people were complaining about this error because things weren't being blocked.  The solution to disable a rule is one to allow traffic, not restrict it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    Sorry maybe I did not explain the situation good enough,

    last time we could see that one of our websites was very slow, we did check the logs and we could see lots of entry from multiple IP address of this netwrok 46.XX.168.65/24 and this was happeing on mulitple days. So we go ahead and block the connection from that network and immediately we could see that website is working normal again.

     

    I would like to know what this error means? is this mean that the Sophos has done his job and drop the connection or as the log says " Execution error - PCRE limits exceeded " and Sophos didnot drop the connection?

     

    2018:01:17-01:34:57 securitysrv1-2 httpd[24522]: [security2:error] [pid 24522:tid 4121140080] [client 46.XX.168.65] ModSecurity: Rule 1008f2a8 [id "981243"][file "/usr/apache/conf/waf/modsecurity_crs_sql_injection_attacks.conf"][line "245"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.mywebsite.nl"] [uri "/somwhere/default.aspx"] [unique_id "Wl6aMT7dx7gAAF-KztsAAADJ"]

     

    Thanks

  • I have or had the same types of entries.   Support said don't worry about them.  

  • Hi Douflas,

     

    Thanks for your reply,

    But what is means? it is not just a one or 2 entries but I can see lots of them.

    I have open a new support ticket, I will let you know a.s.a I have more info.