WAF error "Execution error - PCRE limits exceeded"

Question

WAF error "Execution error - PCRE limits exceeded"

Wesley 46

Our waf rules are blocking some content from accessing the backend web server; I searched the wag logs and found some OWASAP rules, the associated rule number is 932150, and the normal error message should be Remote Command Execution: Direct Unix Command Execution. However, I am showing Execution error - PCRE limits exceeded. I also searched the following OWASP code link to try to find it, but found nothing https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-crs-rulegroups-rules?tabs=drs21%2Cowasp30 In addition, I am very new to troubleshooting application gateways and web application firewalls; I would appreciate any learning insights beyond the obvious content on the Microsoft website.

Wesley 46

Thanks for your reply.

I now know how to check the relevant logs.

Regarding the "Execution error - PCRE limits exceeded" alert, I cannot confirm the part that triggers the rule. Can this problem only be solved by modifying the application? If the application cannot be modified, can I ignore it?

The detailed warning is as follows:

{ 
	"resourceId": "/SUBSCRIPTIONS/xxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx/RESOURCEGROUPS/xxxxxxxx/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/xxxxxxxxx", 
	"operationName": "ApplicationGatewayFirewall", 
	"category": "ApplicationGatewayFirewallLog", 
	"properties": { 
		"instanceId": "appgw_36", 
		"clientIp": "1.1.1.1", 
		"clientPort": "", 
		"requestUri": "/xx/xx", 
		"ruleSetType": "OWASP_CRS", 
		"ruleSetVersion": "3.1.0", 
		"ruleId": "932150", 
		"message": "Execution error - PCRE limits exceeded", 
		"action": "Matched", 
		"site": "Global", 
		"details": { 
			"message": "Rule 5a7c46b7edb8 [id "932150"]", 
			"data": "", 
			"file": "rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf", 
			"line": "470" 
		}, 
		"hostname": "xxxxxx", 
		"transactionId": "xxxxxxxxxxxxx" 
	} 
}

G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-05-12T05:38:10.9433333+00:00

Hello Wesley

Thanks for your response!

You can ignore the alert, as the WAF is likely blocking the request (action: "Matched"). However, monitor logs to ensure no legitimate requests are being blocked.

Instead of ignoring, tune the WAF (e.g., exclusions or custom rules) to reduce false positives while maintaining security.

If the PCRE limit is exceeded frequently, it could degrade WAF performance or cause incomplete rule evaluations, potentially allowing some attacks to bypass detection. It’s better to address the root cause or tune the WAF.

We suggest you to temporarily exclude rule 932150 for the specific requestUri and monitor if the alert stops without impacting security.

I hope this helps! Please let me know if you have further questions or need additional guidance.
Wesley 46 Reputation points

2025-05-12T05:58:09.1333333+00:00

Thanks for your response

Regarding rule 9321590, I found a large number of different requestUri were matched but not blocked. They accounted for 80% of the WAF alerts. I also tried to adjust the policy to add exclusions, but the blocked Headers, Cookies, and Args did not show up in the logs. Since I am not familiar with Azure Waf, can you provide some tuning suggestions? Thank you
G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-05-12T09:38:12.67+00:00

Hi Wesley

You can tune the WAF using below article which discusses how to recognize and mitigate false positives in WAF alerts, ensuring that legitimate traffic is not mistakenly blocked.

https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/azure-waf-tuning-for-web-applications/3776133

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-tuning?pivots=front-door-standard-premium

After you tune your WAF, you should configure it to run in prevention mode. By running in prevention mode, you ensure the WAF actually blocks requests that it detects as malicious. Running in detection mode is useful for testing purposes while you tune and configure your WAF, but it provides no protection. It logs the traffic, but it doesn't take any actions such as allow or deny.

Reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/best-practices#tune-your-waf

Do let me know if you any further queries, we will be happy to assist you!
Wesley 46 Reputation points

2025-05-13T01:48:22.8066667+00:00

Hi Alex

Thanks for your response

I tried to find out the unusually parameters that caused the event, but I checked the diagnostic logs and found that there was no information in the alert, so I couldn't set an exception. Please refer to the picture below for details:
G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-05-13T06:09:28.7866667+00:00
Hello Wesley

Thanks for sharing the details:

Since this is an execution error, the WAF may not have completed full inspection, which is why no actionable parameters (like headers or query strings) are logged.

You can Enable Full Logging on WAF policy and check for ApplicationGatewayFirewallLog is enabled and sent to Log Analytics.

Verify the WAF policy limits. Review your WAF policy to see if: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview

Please confirm if you have disabled the rule 932150 and share the error while trying to create the exclusion (error message, grayed-out option, etc.)?

Modify the rule: In some cases, disabling or customizing rule 932150 in a custom rule set can help, but ensure this doesn’t compromise security.

Do let me know if you any further queries, we will be happy to assist you!
G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-05-14T08:22:01.5666667+00:00

Hello Wesley

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

Accepted answer

1 additional answer

Your answer

Wesley 46 Reputation points

2025-05-09T09:29:20.9866667+00:00

Thanks for your reply.

I now know how to check the relevant logs.

Regarding the "Execution error - PCRE limits exceeded" alert, I cannot confirm the part that triggers the rule. Can this problem only be solved by modifying the application? If the application cannot be modified, can I ignore it?

The detailed warning is as follows:

{ "resourceId": "/SUBSCRIPTIONS/xxxxxx-xxxxx-xxxx-xxxx-xxxxxxxx/RESOURCEGROUPS/xxxxxxxx/PROVIDERS/MICROSOFT.NETWORK/APPLICATIONGATEWAYS/xxxxxxxxx", "operationName": "ApplicationGatewayFirewall", "category": "ApplicationGatewayFirewallLog", "properties": { "instanceId": "appgw_36", "clientIp": "1.1.1.1", "clientPort": "", "requestUri": "/xx/xx", "ruleSetType": "OWASP_CRS", "ruleSetVersion": "3.1.0", "ruleId": "932150", "message": "Execution error - PCRE limits exceeded", "action": "Matched", "site": "Global", "details": { "message": "Rule 5a7c46b7edb8 [id "932150"]", "data": "", "file": "rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf", "line": "470" }, "hostname": "xxxxxx", "transactionId": "xxxxxxxxxxxxx" } }
G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-05-12T05:38:10.9433333+00:00

Hello Wesley

Thanks for your response!

You can ignore the alert, as the WAF is likely blocking the request (action: "Matched"). However, monitor logs to ensure no legitimate requests are being blocked.

Instead of ignoring, tune the WAF (e.g., exclusions or custom rules) to reduce false positives while maintaining security.

If the PCRE limit is exceeded frequently, it could degrade WAF performance or cause incomplete rule evaluations, potentially allowing some attacks to bypass detection. It’s better to address the root cause or tune the WAF.

We suggest you to temporarily exclude rule 932150 for the specific requestUri and monitor if the alert stops without impacting security.

I hope this helps! Please let me know if you have further questions or need additional guidance.
Wesley 46 Reputation points

2025-05-12T05:58:09.1333333+00:00

Thanks for your response

Regarding rule 9321590, I found a large number of different requestUri were matched but not blocked. They accounted for 80% of the WAF alerts. I also tried to adjust the policy to add exclusions, but the blocked Headers, Cookies, and Args did not show up in the logs. Since I am not familiar with Azure Waf, can you provide some tuning suggestions? Thank you
G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-05-12T09:38:12.67+00:00

Hi Wesley

You can tune the WAF using below article which discusses how to recognize and mitigate false positives in WAF alerts, ensuring that legitimate traffic is not mistakenly blocked.

https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/azure-waf-tuning-for-web-applications/3776133

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-tuning?pivots=front-door-standard-premium

After you tune your WAF, you should configure it to run in prevention mode. By running in prevention mode, you ensure the WAF actually blocks requests that it detects as malicious. Running in detection mode is useful for testing purposes while you tune and configure your WAF, but it provides no protection. It logs the traffic, but it doesn't take any actions such as allow or deny.

Reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/best-practices#tune-your-waf

Do let me know if you any further queries, we will be happy to assist you!
Wesley 46 Reputation points

2025-05-13T01:48:22.8066667+00:00

Hi Alex

Thanks for your response

I tried to find out the unusually parameters that caused the event, but I checked the diagnostic logs and found that there was no information in the alert, so I couldn't set an exception. Please refer to the picture below for details:
G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-05-13T06:09:28.7866667+00:00

Hello Wesley

Thanks for sharing the details:

Since this is an execution error, the WAF may not have completed full inspection, which is why no actionable parameters (like headers or query strings) are logged.

You can Enable Full Logging on WAF policy and check for ApplicationGatewayFirewallLog is enabled and sent to Log Analytics.

Verify the WAF policy limits. Review your WAF policy to see if: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/policy-overview

Please confirm if you have disabled the rule 932150 and share the error while trying to create the exclusion (error message, grayed-out option, etc.)?

Modify the rule: In some cases, disabling or customizing rule 932150 in a custom rule set can help, but ensure this doesn’t compromise security.

Do let me know if you any further queries, we will be happy to assist you!
G Sree Vidya 2,270 Reputation points Microsoft External Staff Moderator

2025-05-14T08:22:01.5666667+00:00

Hello Wesley

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

Answer 1

Hello Wesley

We understand that WAF rule 932150 is blocking content from accessing your backend web server, and you’re seeing an "Execution error - PCRE limits exceeded" message instead of the expected "Remote Command Execution: Direct Unix Command Execution" error.

The error you're seeing "Execution error - PCRE limits exceeded" — means that mod_security's regex engine (PCRE) hit internal limits during rule evaluation, often due to large or complex request bodies.

This is also known issue in WAFs using mod_security, particularly when input length or complexity causes a catastrophic backtracking situation in regex evaluation.

Please check the below details for troubleshooting:

WAF logs show every request that WAF matches or blocks. If a request is blocked that shouldn't be, narrow down the specific request by looking through the logs for the specific URI, timestamp, or transaction ID https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/web-application-firewall-troubleshoot

Enable and review ApplicationGatewayFirewallLog in Log Analytics or your configured storage account.

Filter logs for ruleId = 932150 to identify blocked requests. Look for:
- Client IP: To confirm the source of the request.
- Request URI: The specific endpoint being blocked.
- Matched Variable: The part of the request triggering the rule (e.g., ARGS, REQUEST_BODY).
- Transaction ID: To correlate with backend logs.
- RuleSetVersion: Confirm whether you’re using OWASP 3.2, DRS 2.1, or another version.
Example log entry: "message": "Execution error - PCRE limits exceeded" indicates that the regex evaluation failed due to request complexity.

2.Try to analyze the input, the PCRE error is usually caused by large complex request bodies.

3.Test the Request Without WAF like temporarily disable WAF (Detection mode) or route traffic around the WAF to your backend (in a test environment only).

4.Verify that your backend works without the WAF to ensure it’s not an app-side issue.

5.You can create exclusions and custom Rules and even disable rules that may be causing issues or false positives.

https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/application-gateway-customize-waf-rules-portal?source=recommendations

Based on your queries we have shared below details:

You can tune the WAF using below article which discusses how to recognize and mitigate false positives in WAF alerts, ensuring that legitimate traffic is not mistakenly blocked.

https://techcommunity.microsoft.com/blog/azurenetworksecurityblog/azure-waf-tuning-for-web-applications/3776133

https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-tuning?pivots=front-door-standard-premium

After you tune your WAF, you should configure it to run in prevention mode. By running in prevention mode, you ensure the WAF actually blocks requests that it detects as malicious. Running in detection mode is useful for testing purposes while you tune and configure your WAF, but it provides no protection. It logs the traffic, but it doesn't take any actions such as allow or deny.

Reference: https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/best-practices#tune-your-waf

I hope this helps! Please let me know if you have further questions or need additional guidance.

Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hi Wesley,

Thanks for sharing the details about the WAF error you're encountering. The message "Execution error PCRE limits exceeded" typically occurs when the Web Application Firewall hits a processing limit while evaluating a request with a complex or lengthy pattern. This is related to OWASP rule 932150, which is designed to detect Remote Command Execution attempts, but in your case, the issue is more about regex engine constraints rather than a direct security match.

The error suggests that the Perl Compatible Regular Expressions engine, used by Azure WAF to match patterns, has exceeded its configured limits while processing a request. This can happen with very long query strings, deeply nested payloads, or overly complex input that triggers excessive backtracking in regex evaluation.

First, check the WAF logs in Azure to identify the exact request causing this issue. Look for unusually long parameters, headers, or payloads that might be too resource-intensive for the rule to process. You can use Azure WAF diagnostics (available in the Azure Portal under Diagnose and solve problems) to filter logs for Rule ID 932150 and analyze the problematic traffic.

If the request is legitimate, you have a few options:

Adjust PCRE limits: Azure WAF allows some tuning of regex processing limits, though this is not always straightforward. You might need to experiment with custom rules or policy adjustments.

Create an exclusion: If this is a false positive, you can exclude the specific request attribute (e.g., a particular URL or parameter) from WAF inspection.

Modify the rule: In some cases, disabling or customizing rule 932150 in a custom rule set can help, but ensure this doesn’t compromise security.

Additional Resources

For deeper insights, check out:

OWASP Core Rule Set Documentation – Explains the logic behind rule 932150.
PCRE Limits and Optimization – Technical details on regex processing constraints.

If you’d like, you can share a sanitized version of the blocked request (removing any sensitive data), and I can help analyze the specific pattern causing the issue. Also, let me know if you’re using DRS 2.1/3.0 or a custom rule set, as this might influence the solution.

For immediate mitigation, you could switch the WAF to Detection mode to log but not block requests while troubleshooting. Temporarily disable rule 932150 (if safe) to confirm it’s the root cause.

Let me know how you’d like to proceed

Best regards,
Alex
P.S. If my answer help to you, please Accept my answer
PPS That is my Answer and not a Comment

Share via

WAF error "Execution error - PCRE limits exceeded"

1 additional answer

Your answer