Chris wrote:
> I noticed that dynamiconly is been depreciated, it is my understanding
> this saves resources since it stops static files such as images been
> checked.
>
> What is the reason for this, is the performance improvement tiny? is
> it unstable? or some other reason?
It's a combination of various factors.
To use the feature successfully one needs to configure Apache
in a special way, but I've seen too many people just ignore that
part and/or forget to test if it works. Furthermore, there are
inconsistencies in the ways Apache handles certain request
types (e.g. for directory requests) which make dynamic-detection
somewhat unreliable.
ModSecurity has always supported the HANDLER variable (although
I see now it's not documented). For 2.0 I'll make sure it is
possible to implement the same thing using just rules.
But even without that, you could just use SCRIPT_FILENAME to
test the file extensions and execute "nolog,allow" for static files.
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
Apache Security (O'Reilly): http://www.apachesecurity.net
|