Even with log level 9, I have no errors. In fact, I'm using CRS rules and it's the 2.2.2 version.

On Mon, Oct 24, 2011 at 7:24 PM, Christian Bockermann <chris@jwall.org> wrote:

Am 24.10.2011 um 18:54 schrieb rm4dillo D:

> Hi,
>
> I recently installed ModSecurity on a high traffic server and the CPU usage almost reached 100% while it's usually around 2 to 5%. Then, I tried to benchmark ModSecurity by simply using Apache HTTP benchmarking tool ( ab -n ... http://localhost/ ) and I got the following results:
>
> - Without ModSecurity : 416ms / request
> - ModSecurity without rules : 482ms / request
> - ModSecurity with basic rules (paranoid mode off, SecResponseBodyAccess off) : 2241ms / request ?!!
>
> I have no false positives, so it's not related to massive logging.


Did you assure that it's not doing any logging? Especially have a look at
the debug-log level of your setup.


> I also did some profiling on Apache HTTPD and noticed that 40% of the CPU time is spent in "modsecurity_process_phase_request_body". In my opinion, it's not that surprising...
>
> Any ideas or hints?

Some rules may require a considerable amount of time. In you case, I'd
switch on audit-logging and inspect the effect for a *single* request.
The audit-log section should reveal timing information on how much time
each request-phase required.

Start with no rule fules included and slowly add rule-files to your config
one by one. In addition to ModSecurity filtering the request there might
be time required for RBL lookup (if such a thing is included in your rules)
or persistence maintenance (is modsecurity failing to write data to files?).

So in essence, you need to track this down little-by-little.

By "basic rules" I assume you're speaking about the core-rule set, right?
Which version did you install?


Regards,
   Chris