pcre limit failure ( already set to 500000) on simple png file 

**Describe the bug**

we have many audit log entries of pcre limit erros for png pictures with a huge referer from doubleclick

**Logs and dumps**

Output of: audit_log
--e097961d-A--
[25/Sep/2019:14:21:00 +0200] XYtbrF6VruoaIc5w1XbecAAAAAM 11.11.11.11 58870 10.0.0.10 443
--e097961d-B--
GET /banner/zzzz/zzzz.png HTTP/2.0
Referer: https://www.zzzzz.at/banner/zzzzzz/index.html?clicktag=https://adclick.g.doubleclick.net/pcs/click%253Fxai%253DAKAOjsuzTq75PYpdP07IVXsSA6Yk_tzsFNP1kLog2v52TIvJ1OP_UbitA_GmPfqzgIM5zvgjju1e1c6xSDHzR3nzfWyJ5qehlEV5VVr_0SAzCYrj4KIcucoFqfYSmQm7xI36Gf4pviotnq9dyNFQUj2z1rWAZZv3Yeoy86cr0ZvX0_ptY2LBfXJCB07moy4iqyiQThiPnSOhdZbRWnTuiDg1O_-_NnekNLaWOFSMDUYjDPBVN_sPaIBt2wBFl1Qe7t8ovm_Xz6Aa7xGu0RcREvX-bPv8eVg-Vr3VfPA%2526sig%253DCg0ArKJSzAweWjDN_1tOEAE%2526urlfix%253D1%2526adurl%253Dhttps://www.zzzzz.at/zzzzzz/%3Futm_source%3Dkrone%26utm_medium%3Dzzzzzz%26utm_campaign%3Dzzzzz&=https://adclick.g.doubleclick.net/pcs/click%253Fxai%253DAKAOjsuzTq75PYpdP07IVXsSA6Yk_tzsFNP1kLog2v52TIvJ1OP_UbitA_GmPfqzgIM5zvgjju1e1c6xSDHzR3nzfWyJ5qehlEV5VVr_0SAzCYrj4KIcucoFqfYSmQm7xI36Gf4pviotnq9dyNFQUj2z1rWAZZv3Yeoy86cr0ZvX0_ptY2LBfXJCB07moy4iqyiQThiPnSOhdZbRWnTuiDg1O_-_NnekNLaWOFSMDUYjDPBVN_sPaIBt2wBFl1Qe7t8ovm_Xz6Aa7xGu0RcREvX-bPv8eVg-Vr3VfPA%2526sig%253DCg0ArKJSzAweWjDN_1tOEAE%2526urlfix%253D1%2526adurl%253D&=https://adclick.g.doubleclick.net/pcs/click%253Fxai%253DAKAOjsuzTq75PYpdP07IVXsSA6Yk_tzsFNP1kLog2v52TIvJ1OP_UbitA_GmPfqzgIM5zvgjju1e1c6xSDHzR3nzfWyJ5qehlEV5VVr_0SAzCYrj4KIcucoFqfYSmQm7xI36Gf4pviotnq9dyNFQUj2z1rWAZZv3Yeoy86cr0ZvX0_ptY2LBfXJCB07moy4iqyiQThiPnSOhdZbRWnTuiDg1O_-_NnekNLaWOFSMDUYjDPBVN_sPaIBt2wBFl1Qe7t8ovm_Xz6Aa7xGu0RcREvX-bPv8eVg-Vr3VfPA%2526sig%253DCg0ArKJSzAweWjDN_1tOEAE%2526urlfix%253D1%2526adurl%253D&=https://adclick.g.doubleclick.net/pcs/click%253Fxai%253DAKAOjsuzTq75PYpdP07IVXsSA6Yk_tzsFNP1kLog2v52TIvJ1OP_UbitA_GmPfqzgIM5zvgjju1e1c6xSDHzR3nzfWyJ5qehlEV5VVr_0SAzCYrj4KIcucoFqfYSmQm7xI36Gf4pviotnq9dyNFQUj2z1rWAZZv3Yeoy86cr0ZvX0_ptY2LBfXJCB07moy4iqyiQThiPnSOhdZbRWnTuiDg1O_-_NnekNLaWOFSMDUYjDPBVN_sPaIBt2wBFl1Qe7t8ovm_Xz6Aa7xGu0RcREvX-bPv8eVg-Vr3VfPA%2526sig%253DCg0ArKJSzAweWjDN_1tOEAE%2526urlfix%253D1%2526adurl%253D
Accept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
Accept-Language: de-AT
Accept-Encoding: gzip, deflate, br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
Host: www.zzzzz.at

--e097961d-F--
HTTP/1.1 200 OK
Last-Modified: Fri, 30 Aug 2019 08:58:43 GMT
Accept-Ranges: bytes
Content-Length: 11755
Cache-Control: max-age=2592000
Expires: Fri, 25 Oct 2019 12:21:00 GMT
X-Content-Type-Options: nosniff
Connection: close
Content-Type: image/png

--e097961d-E--

--e097961d-H--
Message: Rule 1ebc8c0 [id "941140"][file "/etc/httpd/mod_security/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "179"] - Execution error - PCRE limits exceeded (-8): (null).
Apache-Error: [file "apache2_util.c"] [line 271] [level 3] [client 11.11.11.11] ModSecurity: Rule 1ebc8c0 [id "941140"][file "/etc/httpd/mod_security/rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf"][line "179"] - Execution error - PCRE limits exceeded (-8): (null). [hostname "www.zzzz.at"] [uri "/banner/zzzz/zzzz.png"] [unique_id "XYtbrF6VruoaIc5w1XbecAAAAAM"]
Stopwatch: 1569414060302329 7162 (- - -)
Stopwatch2: 1569414060302329 7162; combined=3010, p1=367, p2=2456, p3=21, p4=63, p5=103, sr=75, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
Server: Apache
Engine-Mode: "ENABLED"

--e097961d-K--
SecAction "phase:1,auditlog,id:900600,nolog,pass,t:none,setvar:'tx.high_risk_country_codes=UA ID YU LT EG RO BG TR RU PK MY CN'"

SecAction "phase:1,auditlog,id:900700,nolog,pass,t:none,setvar:tx.dos_burst_time_slice=60,setvar:tx.dos_counter_threshold=100,setvar:tx.dos_block_timeout=600"

SecAction "phase:1,auditlog,id:900990,nolog,pass,t:none,setvar:tx.crs_setup_version=310"

SecRule "&TX:inbound_anomaly_score_threshold" "@eq 0" "phase:1,auditlog,id:901100,pass,nolog,setvar:tx.inbound_anomaly_score_threshold=5"

SecRule "&TX:outbound_anomaly_score_threshold" "@eq 0" "phase:1,auditlog,id:901110,pass,nolog,setvar:tx.outbound_anomaly_score_threshold=4"

SecRule "&TX:paranoia_level" "@eq 0" "phase:1,auditlog,id:901120,pass,nolog,setvar:tx.paranoia_level=1"

SecRule "&TX:executing_paranoia_level" "@eq 0" "phase:1,auditlog,id:901125,pass,nolog,setvar:tx.executing_paranoia_level=%{TX.PARANOIA_LEVEL}"

SecRule "&TX:sampling_percentage" "@eq 0" "phase:1,auditlog,id:901130,pass,nolog,setvar:tx.sampling_percentage=100"

SecRule "&TX:critical_anomaly_score" "@eq 0" "phase:1,auditlog,id:901140,pass,nolog,setvar:tx.critical_anomaly_score=5"

SecRule "&TX:error_anomaly_score" "@eq 0" "phase:1,auditlog,id:901141,pass,nolog,setvar:tx.error_anomaly_score=4"

SecRule "&TX:warning_anomaly_score" "@eq 0" "phase:1,auditlog,id:901142,pass,nolog,setvar:tx.warning_anomaly_score=3"

SecRule "&TX:notice_anomaly_score" "@eq 0" "phase:1,auditlog,id:901143,pass,nolog,setvar:tx.notice_anomaly_score=2"

SecRule "&TX:do_reput_block" "@eq 0" "phase:1,auditlog,id:901150,pass,nolog,setvar:tx.do_reput_block=0"

SecRule "&TX:reput_block_duration" "@eq 0" "phase:1,auditlog,id:901152,pass,nolog,setvar:tx.reput_block_duration=300"

SecRule "&TX:allowed_methods" "@eq 0" "phase:1,auditlog,id:901160,pass,nolog,setvar:'tx.allowed_methods=GET HEAD POST OPTIONS'"

SecRule "&TX:allowed_request_content_type" "@eq 0" "phase:1,auditlog,id:901162,pass,nolog,setvar:tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/soap+xml|application/x-amf|application/json|application/octet-stream|application/csp-report|application/xss-auditor-report|text/plain"

SecRule "&TX:allowed_request_content_type_charset" "@eq 0" "phase:1,auditlog,id:901168,pass,nolog,setvar:tx.allowed_request_content_type_charset=utf-8|iso-8859-1|iso-8859-15|windows-1252"

SecRule "&TX:allowed_http_versions" "@eq 0" "phase:1,auditlog,id:901163,pass,nolog,setvar:'tx.allowed_http_versions=HTTP/1.0 HTTP/1.1 HTTP/2 HTTP/2.0'"

SecRule "&TX:restricted_extensions" "@eq 0" "phase:1,auditlog,id:901164,pass,nolog,setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .rdb/ .resources/ .resx/ .sql/ .swp/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/'"

SecRule "&TX:restricted_headers" "@eq 0" "phase:1,auditlog,id:901165,pass,nolog,setvar:'tx.restricted_headers=/proxy/ /lock-token/ /content-range/ /translate/ /if/'"

SecRule "&TX:static_extensions" "@eq 0" "phase:1,auditlog,id:901166,pass,nolog,setvar:'tx.static_extensions=/.jpg/ /.jpeg/ /.png/ /.gif/ /.js/ /.css/ /.ico/ /.svg/ /.webp/'"

SecRule "&TX:enforce_bodyproc_urlencoded" "@eq 0" "phase:1,auditlog,id:901167,pass,nolog,setvar:tx.enforce_bodyproc_urlencoded=0"

SecAction "phase:1,auditlog,id:901200,pass,t:none,nolog,setvar:tx.anomaly_score=0,setvar:tx.anomaly_score_pl1=0,setvar:tx.anomaly_score_pl2=0,setvar:tx.anomaly_score_pl3=0,setvar:tx.anomaly_score_pl4=0,setvar:tx.sql_injection_score=0,setvar:tx.xss_score=0,setvar:tx.rfi_score=0,setvar:tx.lfi_score=0,setvar:tx.rce_score=0,setvar:tx.php_injection_score=0,setvar:tx.http_violation_score=0,setvar:tx.session_fixation_score=0,setvar:tx.inbound_anomaly_score=0,setvar:tx.outbound_anomaly_score=0,setvar:tx.outbound_anomaly_score_pl1=0,setvar:tx.outbound_anomaly_score_pl2=0,setvar:tx.outbound_anomaly_score_pl3=0,setvar:tx.outbound_anomaly_score_pl4=0,setvar:tx.sql_error_match=0"

SecRule "REQUEST_HEADERS:User-Agent" "@rx ^.*$" "phase:1,auditlog,id:901318,pass,t:none,t:sha1,t:hexEncode,nolog,setvar:tx.ua_hash=%{MATCHED_VAR}"

SecAction "phase:1,auditlog,id:901321,pass,t:none,nolog,initcol:global=global,initcol:ip=%{remote_addr}_%{tx.ua_hash},setvar:tx.real_ip=%{remote_addr}"

SecRule "REQBODY_PROCESSOR" "!@rx (?:URLENCODED|MULTIPART|XML|JSON)" "phase:1,id:901340,pass,nolog,noauditlog,msg:'Enabling body inspection',tag:paranoia-level/1,ctl:forceRequestBodyVariable=On,ver:OWASP_CRS/3.2.0"

SecRule "TX:sampling_percentage" "@eq 100" "phase:1,auditlog,id:901400,nolog,skipAfter:END-SAMPLING"

SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" "@eq 0" "phase:1,auditlog,id:9002000,t:none,nolog,skipAfter:END-WORDPRESS"

SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" "@eq 0" "phase:1,auditlog,id:9003000,t:none,nolog,skipAfter:END-NEXTCLOUD"

SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" "@eq 0" "phase:1,auditlog,id:9004000,t:none,nolog,skipAfter:END-DOKUWIKI"

SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" "phase:1,auditlog,id:9005000,t:none,nolog,skipAfter:END-CPANEL"

SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq 0" "phase:1,auditlog,id:9006000,t:none,nolog,skipAfter:END-XENFORO"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:910013,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:911013,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:912013,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:913013,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:920013,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:921013,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:930013,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:931013,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:932013,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:933013,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:934013,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:941013,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:942013,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:943013,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:944013,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:949013,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:1,auditlog,id:980013,nolog,skipAfter:END-RESPONSE-980-CORRELATION"

SecRule "&TX:crs_exclusions_drupal|TX:crs_exclusions_drupal" "@eq 0" "phase:2,auditlog,id:9001000,t:none,nolog,skipAfter:END-DRUPAL-RULE-EXCLUSIONS"

SecRule "&TX:crs_exclusions_wordpress|TX:crs_exclusions_wordpress" "@eq 0" "phase:2,auditlog,id:9002001,t:none,nolog,skipAfter:END-WORDPRESS"

SecRule "&TX:crs_exclusions_nextcloud|TX:crs_exclusions_nextcloud" "@eq 0" "phase:2,auditlog,id:9003001,t:none,nolog,skipAfter:END-NEXTCLOUD"

SecRule "&TX:crs_exclusions_dokuwiki|TX:crs_exclusions_dokuwiki" "@eq 0" "phase:2,auditlog,id:9004001,t:none,nolog,skipAfter:END-DOKUWIKI"

SecRule "&TX:crs_exclusions_cpanel|TX:crs_exclusions_cpanel" "@eq 0" "phase:2,auditlog,id:9005001,t:none,nolog,skipAfter:END-CPANEL"

SecRule "&TX:crs_exclusions_xenforo|TX:crs_exclusions_xenforo" "@eq 0" "phase:2,auditlog,id:9006001,t:none,nolog,skipAfter:END-XENFORO"

SecRule "TX:HIGH_RISK_COUNTRY_CODES" "!@rx ^$" "phase:2,log,auditlog,id:910100,block,t:none,msg:'Client IP is from a HIGH Risk Country Location.',logdata:%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-reputation-ip,severity:CRITICAL,chain"
SecRule "TX:REAL_IP" "@geoLookup " "chain"
#SecRule "GEO:COUNTRY_CODE" "@within %{tx.high_risk_country_codes}" "setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score},setvar:ip.reput_block_flag=1,setvar:ip.reput_block_reason=%{rule.msg},expirevar:ip.reput_block_flag=%{tx.reput_block_duration}"

SecRule "&TX:block_suspicious_ip" "@eq 0" "phase:2,auditlog,id:910130,t:none,nolog,chain,skipAfter:END-RBL-CHECK"
SecRule "&TX:block_harvester_ip" "@eq 0" "chain"
SecRule "&TX:block_spammer_ip" "@eq 0" "chain"
SecRule "&TX:block_search_ip" "@eq 0"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:910014,nolog,skipAfter:END-REQUEST-910-IP-REPUTATION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:911014,nolog,skipAfter:END-REQUEST-911-METHOD-ENFORCEMENT"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:912014,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:913014,nolog,skipAfter:END-REQUEST-913-SCANNER-DETECTION"

SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,log,auditlog,id:920170,block,t:none,msg:'GET or HEAD Request with Body Content.',logdata:%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,ver:OWASP_CRS/3.2.0,severity:CRITICAL,chain"
#SecRule "REQUEST_HEADERS:Content-Length" "!@rx ^0?$" "t:none,setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"

SecRule "REQUEST_METHOD" "@rx ^(?:GET|HEAD)$" "phase:2,log,auditlog,id:920171,block,t:none,msg:'GET or HEAD Request with Transfer-Encoding.',logdata:%{MATCHED_VAR},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS,tag:OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ,tag:CAPEC-272,ver:OWASP_CRS/3.2.0,severity:CRITICAL,chain"
#SecRule "&REQUEST_HEADERS:Transfer-Encoding" "!@eq 0" "t:none,setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"

SecRule "REQUEST_BASENAME" "@rx \\.([^.]+)$" "phase:2,log,auditlog,id:920440,block,capture,t:none,msg:'URL file extension is restricted by policy',logdata:%{TX.0},tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS,tag:OWASP_CRS/POLICY/EXT_RESTRICTED,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/6.5.10,ver:OWASP_CRS/3.2.0,severity:CRITICAL,setvar:tx.extension=.%{tx.1}/,chain"
#SecRule "TX:EXTENSION" "@within %{tx.restricted_extensions}" "t:none,t:urlDecodeUni,t:lowercase,setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^.*$" "phase:2,log,auditlog,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,ver:OWASP_CRS/3.2.0,severity:CRITICAL,setvar:tx.header_name_%{tx.0}=/%{tx.0}/,chain"
#SecRule "TX:/^HEADER_NAME_/" "@within %{tx.restricted_headers}" "setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^.*$" "phase:2,log,auditlog,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,ver:OWASP_CRS/3.2.0,severity:CRITICAL,setvar:tx.header_name_%{tx.0}=/%{tx.0}/,chain"
#SecRule "TX:/^HEADER_NAME_/" "@within %{tx.restricted_headers}" "setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^.*$" "phase:2,log,auditlog,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,ver:OWASP_CRS/3.2.0,severity:CRITICAL,setvar:tx.header_name_%{tx.0}=/%{tx.0}/,chain"
#SecRule "TX:/^HEADER_NAME_/" "@within %{tx.restricted_headers}" "setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^.*$" "phase:2,log,auditlog,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,ver:OWASP_CRS/3.2.0,severity:CRITICAL,setvar:tx.header_name_%{tx.0}=/%{tx.0}/,chain"
#SecRule "TX:/^HEADER_NAME_/" "@within %{tx.restricted_headers}" "setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^.*$" "phase:2,log,auditlog,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,ver:OWASP_CRS/3.2.0,severity:CRITICAL,setvar:tx.header_name_%{tx.0}=/%{tx.0}/,chain"
#SecRule "TX:/^HEADER_NAME_/" "@within %{tx.restricted_headers}" "setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"

SecRule "REQUEST_HEADERS_NAMES" "@rx ^.*$" "phase:2,log,auditlog,id:920450,block,capture,t:none,t:lowercase,msg:'HTTP header is restricted by policy (%{MATCHED_VAR})',logdata:'Restricted header detected: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-protocol,tag:OWASP_CRS,tag:OWASP_CRS/POLICY/HEADER_RESTRICTED,tag:WASCTC/WASC-21,tag:OWASP_TOP_10/A7,tag:PCI/12.1,tag:WASCTC/WASC-15,tag:OWASP_TOP_10/A7,tag:PCI/12.1,ver:OWASP_CRS/3.2.0,severity:CRITICAL,setvar:tx.header_name_%{tx.0}=/%{tx.0}/,chain"
#SecRule "TX:/^HEADER_NAME_/" "@within %{tx.restricted_headers}" "setvar:tx.anomaly_score_pl1=+%{tx.critical_anomaly_score}"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:920014,nolog,skipAfter:END-REQUEST-920-PROTOCOL-ENFORCEMENT"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:921014,nolog,skipAfter:END-REQUEST-921-PROTOCOL-ATTACK"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:930014,nolog,skipAfter:END-REQUEST-930-APPLICATION-ATTACK-LFI"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:931014,nolog,skipAfter:END-REQUEST-931-APPLICATION-ATTACK-RFI"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:932014,nolog,skipAfter:END-REQUEST-932-APPLICATION-ATTACK-RCE"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:933014,nolog,skipAfter:END-REQUEST-933-APPLICATION-ATTACK-PHP"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:934014,nolog,skipAfter:END-REQUEST-934-APPLICATION-ATTACK-NODEJS"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:941014,nolog,skipAfter:END-REQUEST-941-APPLICATION-ATTACK-XSS"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:942014,nolog,skipAfter:END-REQUEST-942-APPLICATION-ATTACK-SQLI"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:943014,nolog,skipAfter:END-REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:944014,nolog,skipAfter:END-REQUEST-944-APPLICATION-ATTACK-JAVA"

SecRule "TX:PARANOIA_LEVEL" "@ge 1" "phase:2,auditlog,id:949060,pass,t:none,nolog,setvar:tx.anomaly_score=+%{tx.anomaly_score_pl1}"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:949014,nolog,skipAfter:END-REQUEST-949-BLOCKING-EVALUATION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:2,auditlog,id:980014,nolog,skipAfter:END-RESPONSE-980-CORRELATION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:950013,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:951013,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:952013,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:953013,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:954013,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:3,auditlog,id:959013,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:950014,nolog,skipAfter:END-RESPONSE-950-DATA-LEAKAGES"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:951014,nolog,skipAfter:END-RESPONSE-951-DATA-LEAKAGES-SQL"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:952014,nolog,skipAfter:END-RESPONSE-952-DATA-LEAKAGES-JAVA"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:953014,nolog,skipAfter:END-RESPONSE-953-DATA-LEAKAGES-PHP"

SecRule "RESPONSE_STATUS" "!@rx ^404$" "phase:4,log,auditlog,id:954130,block,capture,t:none,msg:'IIS Information Leakage',logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:application-multi,tag:language-multi,tag:platform-iis,tag:platform-windows,tag:attack-disclosure,tag:OWASP_CRS,tag:OWASP_CRS/LEAKAGE/ERRORS_IIS,tag:WASCTC/WASC-13,tag:OWASP_TOP_10/A6,tag:PCI/6.5.6,ctl:auditLogParts=+E,ver:OWASP_CRS/3.2.0,severity:ERROR,chain"
#SecRule "RESPONSE_BODY" "@rx \\bServer Error in.{0,50}?\\bApplication\\b" "capture,t:none,setvar:tx.outbound_anomaly_score_pl1=+%{tx.error_anomaly_score},setvar:tx.anomaly_score_pl1=+%{tx.error_anomaly_score}"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:954014,nolog,skipAfter:END-RESPONSE-954-DATA-LEAKAGES-IIS"

SecRule "TX:PARANOIA_LEVEL" "@ge 1" "phase:4,auditlog,id:959060,pass,t:none,nolog,setvar:tx.outbound_anomaly_score=+%{tx.outbound_anomaly_score_pl1}"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:4,auditlog,id:959014,nolog,skipAfter:END-RESPONSE-959-BLOCKING-EVALUATION"

SecRule "REQUEST_BASENAME" "@rx .*?(\\.[a-z0-9]{1,10})?$" "phase:5,auditlog,id:912150,pass,capture,t:none,t:lowercase,nolog,tag:application-multi,tag:language-multi,tag:platform-multi,tag:attack-dos,setvar:tx.extension=/%{TX.1}/,chain"
#SecRule "TX:EXTENSION" "!@within %{tx.static_extensions}" "setvar:ip.dos_counter=+1"

SecRule "TX:EXECUTING_PARANOIA_LEVEL" "@lt 2" "phase:5,auditlog,id:912019,nolog,skipAfter:END-REQUEST-912-DOS-PROTECTION"

SecAction "phase:5,id:980115,pass,t:none,nolog,noauditlog,setvar:tx.executing_anomaly_score=%{tx.anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.anomaly_score_pl4}"

SecRule "TX:INBOUND_ANOMALY_SCORE" "@lt %{tx.inbound_anomaly_score_threshold}" "phase:5,id:980120,pass,t:none,log,noauditlog,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE} - SQLI=%{tx.sql_injection_score},XSS=%{tx.xss_score},RFI=%{tx.rfi_score},LFI=%{tx.lfi_score},RCE=%{tx.rce_score},PHPI=%{tx.php_injection_score},HTTP=%{tx.http_violation_score},SESS=%{tx.session_fixation_score}): individual paranoia level scores: %{TX.ANOMALY_SCORE_PL1}, %{TX.ANOMALY_SCORE_PL2}, %{TX.ANOMALY_SCORE_PL3}, %{TX.ANOMALY_SCORE_PL4}',tag:event-correlation,chain"
#SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1"

SecAction "phase:5,id:980145,pass,t:none,nolog,noauditlog,setvar:tx.executing_anomaly_score=%{tx.outbound_anomaly_score_pl1},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl2},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl3},setvar:tx.executing_anomaly_score=+%{tx.outbound_anomaly_score_pl4}"

SecRule "TX:OUTBOUND_ANOMALY_SCORE" "@lt %{tx.outbound_anomaly_score_threshold}" "phase:5,id:980150,pass,t:none,log,noauditlog,msg:'Outbound Anomaly Score (Total Outbound Score: %{TX.OUTBOUND_ANOMALY_SCORE}): individual paranoia level scores: %{TX.OUTBOUND_ANOMALY_SCORE_PL1}, %{TX.OUTBOUND_ANOMALY_SCORE_PL2}, %{TX.OUTBOUND_ANOMALY_SCORE_PL3}, %{TX.OUTBOUND_ANOMALY_SCORE_PL4}',tag:event-correlation,chain"
#SecRule "TX:MONITOR_ANOMALY_SCORE" "@gt 1"

**To Reproduce**
curl https://www.zzzzz.az/banner/zzzzzz/logos.png?Referer=https://www.zzzzz.at/banner/zzzzzz/index.html?clicktag=https://adclick.g.doubleclick.net/pcs/click%253Fxai%253DAKAOjsuzTq75PYpdP07IVXsSA6Yk_tzsFNP1kLog2v52TIvJ1OP_UbitA_GmPfqzgIM5zvgjju1e1c6xSDHzR3nzfWyJ5qehlEV5VVr_0SAzCYrj4KIcucoFqfYSmQm7xI36Gf4pviotnq9dyNFQUj2z1rWAZZv3Yeoy86cr0ZvX0_ptY2LBfXJCB07moy4iqyiQThiPnSOhdZbRWnTuiDg1O_-_NnekNLaWOFSMDUYjDPBVN_sPaIBt2wBFl1Qe7t8ovm_Xz6Aa7xGu0RcREvX-bPv8eVg-Vr3VfPA%2526sig%253DCg0ArKJSzAweWjDN_1tOEAE%2526urlfix%253D1%2526adurl%253Dhttps://www.zzzzz.at/zzzzzz/%3Futm_source%3Dkrone%26utm_medium%3Dzzzzzz%26utm_campaign%3Dzzzzz%26=https://adclick.g.doubleclick.net/pcs/click%253Fxai%253DAKAOjsuzTq75PYpdP07IVXsSA6Yk_tzsFNP1kLog2v52TIvJ1OP_UbitA_GmPfqzgIM5zvgjju1e1c6xSDHzR3nzfWyJ5qehlEV5VVr_0SAzCYrj4KIcucoFqfYSmQm7xI36Gf4pviotnq9dyNFQUj2z1rWAZZv3Yeoy86cr0ZvX0_ptY2LBfXJCB07moy4iqyiQThiPnSOhdZbRWnTuiDg1O_-_NnekNLaWOFSMDUYjDPBVN_sPaIBt2wBFl1Qe7t8ovm_Xz6Aa7xGu0RcREvX-bPv8eVg-Vr3VfPA%2526sig%253DCg0ArKJSzAweWjDN_1tOEAE%2526urlfix%253D1%2526adurl%253D%26=https://adclick.g.doubleclick.net/pcs/click%253Fxai%253DAKAOjsuzTq75PYpdP07IVXsSA6Yk_tzsFNP1kLog2v52TIvJ1OP_UbitA_GmPfqzgIM5zvgjju1e1c6xSDHzR3nzfWyJ5qehlEV5VVr_0SAzCYrj4KIcucoFqfYSmQm7xI36Gf4pviotnq9dyNFQUj2z1rWAZZv3Yeoy86cr0ZvX0_ptY2LBfXJCB07moy4iqyiQThiPnSOhdZbRWnTuiDg1O_-_NnekNLaWOFSMDUYjDPBVN_sPaIBt2wBFl1Qe7t8ovm_Xz6Aa7xGu0RcREvX-bPv8eVg-Vr3VfPA%2526sig%253DCg0ArKJSzAweWjDN_1tOEAE%2526urlfix%253D1%2526adurl%253D%26=https://adclick.g.doubleclick.net/pcs/click%253Fxai%253DAKAOjsuzTq75PYpdP07IVXsSA6Yk_tzsFNP1kLog2v52TIvJ1OP_UbitA_GmPfqzgIM5zvgjju1e1c6xSDHzR3nzfWyJ5qehlEV5VVr_0SAzCYrj4KIcucoFqfYSmQm7xI36Gf4pviotnq9dyNFQUj2z1rWAZZv3Yeoy86cr0ZvX0_ptY2LBfXJCB07moy4iqyiQThiPnSOhdZbRWnTuiDg1O_-_NnekNLaWOFSMDUYjDPBVN_sPaIBt2wBFl1Qe7t8ovm_Xz6Aa7xGu0RcREvX-bPv8eVg-Vr3VfPA%2526sig%253DCg0ArKJSzAweWjDN_1tOEAE%2526urlfix%253D1%2526adurl%253D

**Expected behavior**
the request should not crash with pcre limit exception

**Server (please complete the following information):**
 - ModSecurity version for Apache/2.9.2 (http://www.modsecurity.org/); OWASP_CRS/3.2.0.
 - WebServer: Apache 2.4.41
 - OS (and distro): Linux/Centos 7 


**Rule Set (please complete the following information):**
 - Running any public or commercial rule set? OWASP_CRS/3.2.0
 - What is the version number? 3.2.0

**Additional context**

I've already set:
SecPcreMatchLimit             500000
SecPcreMatchLimitRecursion    500000

in the apache.conf.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

pcre limit failure ( already set to 500000) on simple png file #2169

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

pcre limit failure ( already set to 500000) on simple png file #2169

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions