Depending on your logging configuration (specifically if your SecAuditEngine is set to On vs. RelevantOnly) combined with your traffic load, your performance will be effected.  Additionally, the script is a Proof of Concept script and it says so in the script itself and on the “About” page of the ModSecurity Console –


# This is a proof-of-concept script that listens to the
# audit log in real time and submits the entries to
# a remote HTTP server. This code is not suitable for
# non-trivial production use since it can only submit
# one audit log entry at a time, plus it does not handle
# errors gracefully.



Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache



Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)

Learn More About the Breach Webinar Series:



From: [] On Behalf Of Tomer Okavi
Sent: Thursday, March 29, 2007 2:48 PM
Subject: [mod-security-users] DDOS



Using 2.1.0 on apache 2.2.4 configured as reversed proxy and logging to modsecurity console
I did a benchmark on the box and accidentally triggered one of the rules.
watching the server-status page all requests were in "L" state (logging) and apache was slow with serving requests.
disabled logging with and the benchmark was ok.
looks like the performance isn't so great, and in production an attacker can easily DDOS the server by triggering a couple of thousands requests.

any one checked the performance of the logging with over 100/Req per second