modsecurity Performance ?

All,

Has anyone applied modsecurity and observed performance ?

Murali

Disclaimer:
>This message and any attachment(s) contained here are information that is
>confidential, proprietary to HCL Technologies and its customers. Contents
may be privileged or otherwise protected >by law. The >information is solely
intended for the individual or the entity it is addressed to. If you are
>not the intended >recipient of this message, you are not authorized to
read, forward, >print, retain, >copy or disseminate this message or any part
of it. If you >have received >this e-mail in error, please notify the sender
immediately by >return e-mail >and delete it from your computer.

-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
Ivan Ristic | 2 Dec 10:44 2003

Re: modsecurity Performance ?


> Has anyone applied modsecurity and observed performance ?

   I am using mod_security on many servers with no "visible"
   performance impact. Audit and debug logging are big bottlenecks,
   you have to be careful with them (there is no reason to use
   a debug log on a production server).

   I measured performance impact a while ago and it came to
   under 10%. In real-life, if you configure mod_security not to
   pay attention to static resources (images) the performance
   difference becomes very small as on a typical web site you
   get many accesses for static resources and only one access
   for a dynamic web page (which is where mod_security kicks in).

   I plan to do a comprehensive speed measurement again in the
   near future.

   There is another "problem", though. In order to be able to
   protect applications properly mod_security introduces full
   request buffering, keeping the whole request body in memory.
   This increases memory consumption, but there is no other way
   to do it. Increased memory consumption is only a problem for
   file upload. With Apache 1 you should turn mod_security off
   for pages where files are uploaded. Starting with 1.8 (soon),
   Apache 2 will not suffer from this problem; it will use a
   temporary file (after a certain memory limit) and will not
   use memory to store files in (it will still store complete
   request bodies for other types of requests).

(Continue reading)

DarkSniper | 5 Dec 15:18 2003
Picon

About the bug i reported and a future request?

Hey list.
i posted a bug about the keyword 'nolog' still logging to audit_log.
ivan asked me if i had RelevantOnly. and yes. i have that. :)

 about the future request...i do alot of testing on my machines to check
that
 i haven't overlooked something.
 would it be possible to add a keyword no_log for a specific host? so that
it
 doesn't log my own machines i mean.

 // DarkSniper

PS. Sorry if this is a double post, i've had trouble with my mail recently,
hopefully it's all fixed. DS.

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
Ivan Ristic | 5 Dec 16:02 2003

Re: About the bug i reported and a future request?

DarkSniper wrote:
> Hey list.
> i posted a bug about the keyword 'nolog' still logging to audit_log.
> ivan asked me if i had RelevantOnly. and yes. i have that. :)

   There will be a v1.7.4 release (probably tonight) fixing that bug
   and another "bug" in the Apache 2 version that confuses PHP under
   certain conditions.

> about the future request...i do alot of testing on my machines to check
> that
> i haven't overlooked something.
> would it be possible to add a keyword no_log for a specific host? so that
> it
> doesn't log my own machines i mean.

   Sure, I've added your request to my TODO list. I will do a lot
   of small improvements after 1.8 (practically in the CVS right now)
   so you can expect your feature in 1.9.

--

-- 
ModSecurity (http://www.modsecurity.org)
[ Open source IDS for Web applications ]

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
(Continue reading)

DarkSniper | 5 Dec 17:34 2003
Picon

Re: About the bug i reported and a future request?

> DarkSniper wrote:
> > Hey list.
> > i posted a bug about the keyword 'nolog' still logging to audit_log.
> > ivan asked me if i had RelevantOnly. and yes. i have that. :)
>
>    There will be a v1.7.4 release (probably tonight) fixing that bug
>    and another "bug" in the Apache 2 version that confuses PHP under
>    certain conditions.
>
>
> > about the future request...i do alot of testing on my machines to check
> > that
> > i haven't overlooked something.
> > would it be possible to add a keyword no_log for a specific host? so
that
> > it
> > doesn't log my own machines i mean.
>
>    Sure, I've added your request to my TODO list. I will do a lot
>    of small improvements after 1.8 (practically in the CVS right now)
>    so you can expect your feature in 1.9.

i can't wait to see the results. thnx alot man for this cool module! :)

-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
(Continue reading)

Ulf Stegemann | 8 Dec 10:44 2003
Face
Picon

Question / Feature Request Log Comment

Apache 1.3.29, mod_security 1.7.3

When using chain-ed filter rules it seems that mod_security prints only the
pattern from the last filter rule of the chain in mod_security-message (with
"SecAuditEngine RelevantOnly" that is). Since I do a statistical analysis of
the audit log where among other things I count the different match patterns of
blocked requests, this is rather bad ... especially if you have a lot of
chain-ed rules, some with identical last rules.

So my question is: what's the best way to circumvent such a behaviour? I
thought of adding a dummy last rule that always matches and contains
something like a comment in the pattern but that's rather ugly. Is there any
way to add a kind of "log comment" to mod_security-message?

Of course, adding a comment to filter rules that will be printed to the log
file might come in handy, anyway. Think of references and the like.

Regards,

Ulf

--

-- 
Ulf Stegemann
zeitform Internet Dienste       Fraunhoferstr. 5
                                64283 Darmstadt, Germany
http://www.zeitform.de          Tel: +49 (0)6151 155-636
mailto:stegemann <at> zeitform.de    Fax: +49 (0)6151 155-634
GnuPG/PGP Key-ID: 0x8862250A

-------------------------------------------------------
(Continue reading)

Ivan Ristic | 8 Dec 10:55 2003

Re: Question / Feature Request Log Comment

Ulf Stegemann wrote:
> Apache 1.3.29, mod_security 1.7.3
> 
> When using chain-ed filter rules it seems that mod_security prints only the
> pattern from the last filter rule of the chain in mod_security-message (with
> "SecAuditEngine RelevantOnly" that is).

   Yes. When a set of rules is chained, only the last rule is treated
   as an "action" rule. Perhaps I can relax that a bit to allow rule
   supplied actions to be executed but not the default action. So you
   would still be able to do something, but the rule execution would
   continue.

> Since I do a statistical analysis of
> the audit log where among other things I count the different match patterns of
> blocked requests, this is rather bad ... especially if you have a lot of
> chain-ed rules, some with identical last rules.
> 
> So my question is: what's the best way to circumvent such a behaviour? I
> thought of adding a dummy last rule that always matches and contains
> something like a comment in the pattern but that's rather ugly. Is there any
> way to add a kind of "log comment" to mod_security-message?
> 
> Of course, adding a comment to filter rules that will be printed to the log
> file might come in handy, anyway. Think of references and the like.

   I will introduce new features in that area in 1.9. I haven't decided
   yet, but I was thinking of adding several new actions to define a
   unique attack id (so you can have several rules/matches for the same
   thing), a message action (to log custom messages), a severity
(Continue reading)

Ulf Stegemann | 8 Dec 11:39 2003
Face
Picon

Re: Question / Feature Request Log Comment

Ivan Ristic <ivanr <at> webkreator.com> wrote:

> Ulf Stegemann wrote:
>> Apache 1.3.29, mod_security 1.7.3
>> When using chain-ed filter rules it seems that mod_security prints only the
>> pattern from the last filter rule of the chain in mod_security-message (with
>> "SecAuditEngine RelevantOnly" that is).
>
>    Yes. When a set of rules is chained, only the last rule is treated
>    as an "action" rule. Perhaps I can relax that a bit to allow rule
>    supplied actions to be executed but not the default action. So you
>    would still be able to do something, but the rule execution would
>    continue.

To allow some "action" after a match in a chain while still continuing the
chain would be a nice feature indeed.

[...]

>> So my question is: what's the best way to circumvent such a behaviour?

[...]

>> Of course, adding a comment to filter rules that will be printed to the log
>> file might come in handy, anyway. Think of references and the like.
>
>    I will introduce new features in that area in 1.9. I haven't decided
>    yet, but I was thinking of adding several new actions to define a
>    unique attack id (so you can have several rules/matches for the same
>    thing), a message action (to log custom messages), a severity
(Continue reading)

Carlos Molina Garcia | 12 Dec 14:57 2003
Picon

mod_security: Invalid character detected [252]

Greetings.

I installed mod_Security on a server, and for the moments, all the pages 
works fine. Now, I have some little issues that I describe above 
(extracted from the audit_log file).
Anybody can help me on this issue...??
Any recommendation about the mod_Security conf. directives and 
security....???

Thanks in advance..

========================================
Request: 200.75.133.65 - - [Fri Dec 12 09:44:48 2003] "GET 
/images/buttonse/inkassoausk%FCnfte.gif HTTP/1.1" 500 541
Handler: (null)
Error: mod_security: Invalid character detected [252]
----------------------------------------
GET /images/buttonse/inkassoausk%FCnfte.gif HTTP/1.1
Accept: image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Accept-Encoding: gzip,deflate
Accept-Language: en-us,en;q=0.5
Connection: keep-alive
Host: www.XXXXXX.org
Keep-Alive: 300
Referer: http://www.XXXX.org/htme/marktberatung.htm
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) 
Gecko/20031007
mod_security-message: Invalid character detected
mod_security-action: 500
(Continue reading)

Ivan Ristic | 12 Dec 14:57 2003

Re: mod_security: Invalid character detected [252]


> I installed mod_Security on a server, and for the moments, all the pages 
> works fine. Now, I have some little issues that I describe above 
> (extracted from the audit_log file).
> Anybody can help me on this issue...??

   You've configured mod_security to reject requests containing
   characters that fall outside the 32-126 range (inclusive). And there
   are such characters in the example request you gave us.

   For example:

     /images/buttonse/inkassoausk%FCnfte.gif

   contains %fc (252)

   Change this line:

     SecFilterForceByteRange 32 126

   into:

     SecFilterForceByteRange 32 255

   and your problems will go away.

   FYI, future releases will include the ability to specify several
   ranges of acceptable characters, not only one as right now.

--

-- 
(Continue reading)


Gmane