Hi Brian,
It happens on every match with an interuptive action such as proxy, allow, redirect. It successfully processes the request on which it makes the match and this gets proxied to the backend Tomcat but any other requests that have been assigned to threads in the child process get dropped as the child process is re-started. As such if one request is processed at a time everything is fine but problems occur with concurrent transactions that go through ModSecurity.
I am also using SSL and require ModSecurity to Route transactions to a different backend Tomcat Server based on some Matching Field. Everything works perfect if I just reverse proxy through Apache and the thread management in Apache is fine. After more testing I do not think it is only related to XML matching but on any ModSecurity match all other child threads in Apache get dropped so only one gets processed successfully at a time.
Have I set up something incorrectly or should Apache/ModSecurity be working like this? I have attached snippets from the logs below. Let me know if you need anything else.
ModSecurity Rules
SecRule REQUEST_HEADERS:Content-Type ^text/xml$ phase:1,t:lowercase,log,pass,ctl:requestBodyProcessor=XML
SecRule XML:/field/text() MatchString log,proxy:http://internalTomcat:8080,ctl:DebugLogLevel=9,phase:2

ModSecurity Debug Log
[28/May/2008:08:49:13 +0800] [***.com/sid#840af0][rid#e16e68][/][4] Recipe: Invoking rule ce37f8; [file "D:/Apache2/conf/rules/modsecurity_crs_15_customrules.conf"] [line "21"].
[28/May/2008:08:49:13 +0800] [***.com/sid#840af0][rid#e16e68][/][5] Rule ce37f8: SecRule "XML:/field/text()" "@rx MatchString" "phase:2,log,proxy:http://internalTomcat:8080"
[28/May/2008:08:49:13 +0800] [***.com/sid#840af0][rid#e16e68][/][4] Transformation completed in 0 usec.
[28/May/2008:08:49:13 +0800] [***.com/sid#840af0][rid#e16e68][/][4] Executing operator "rx" with param "MatchString" against XML:/field/text().
[28/May/2008:08:49:13 +0800] [***.com/sid#840af0][rid#e16e68][/][4] Operator completed in 0 usec.
[28/May/2008:08:49:13 +0800] [***.com/sid#840af0][rid#e16e68][/][4] Ctl: Set debugLogLevel to 9.
[28/May/2008:08:49:13 +0800] [***.com/sid#840af0][rid#e16e68][/][4] Rule returned 1.
[28/May/2008:08:49:13 +0800] [***.comsid#840af0][rid#e16e68][/][9] Match, intercepted -> returning.
[28/May/2008:08:49:13 +0800] [***.com/sid#840af0][rid#e16e68][/][1] Access denied using proxy to (phase 2) http://internalTomcat:8080. Pattern match "MatchString" at XML. [file "D:/Apache2/conf/rules/modsecurity_crs_15_customrules.conf"] [line "21"]
[28/May/2008:08:49:13 +0800] [***.com/sid#840af0][rid#e16e68][/][4] Time #2: 0

Apache Error Log
[Wed May 28 08:49:37 2008] [notice] Child 2632: Child process is running
[Wed May 28 08:49:37 2008] [notice] Child 2632: Acquired the start mutex.
[Wed May 28 08:49:37 2008] [notice] Child 2632: Starting 200 worker threads.
[Wed May 28 08:49:37 2008] [notice] Child 2632: Starting thread to listen on port 443.
[Wed May 28 08:49:37 2008] [error] [client] ModSecurity: Access denied using proxy to (phase 2) http://internalTomcat:8080. Pattern match "MatchString" at XML. [file "D:/Apache2/conf/rules/modsecurity_crs_15_customrules.conf"] [line "21"] [hostname "***.com"] [uri "/"] [unique_id "yXsKTAo80mgAAApIAJgAAADH"]
[Wed May 28 08:49:41 2008] [notice] Parent: child process exited with status 3221225477 -- Restarting.

On Tue, May 27, 2008 at 11:18 PM, Brian Rectanus <Brian.Rectanus@breach.com> wrote:
Does this only happens under load?  Or does it happen every time an
XPath match?  It would be helpful if you could provide a
(SecDebugLogLevel 9) debug log for the request that caused this.  If you
can nail it down to just a single rule that causes this (and send that
as well), that would also be very helpful.


David Reade wrote:
> Just an update on the previous issue that I raised - I am getting the
> error -  Error - child process exited with status 3221225477 in my
> Apache logs when loadbalance testing it appears to be thrown whenever an
> xpath match is successful within the ModSecurity rules and not just on
> proxying requests to the backend Tomcat Server. This causes the rest of
> the requests assigned to the child thread processes to be dropped..
> The error in the event log is:
> Faulting application httpd.exe, version <>,
> faulting module ntdll.dll, version 5.2.3790.3959, fault address 0x0004afb2.
> Is xml matching in modSecurity working for others on Apache 2.2.8 and
> ModSecurity 2.5.4?
> I am running on Windows Server 2003 SP2 with the correct 2008 C++ Runtime.
> Thanks,
> Dave

Brian Rectanus
Breach Security

In a room with no view, I saw everything....