Tomer,

Depending on your logging configuration (specifically if your SecAuditEngine is set to On vs. RelevantOnly) combined with your traffic load, your performance will be effected.  Additionally, the modsec-auditlog-collector.pl script is a Proof of Concept script and it says so in the script itself and on the “About” page of the ModSecurity Console –

 

# This is a proof-of-concept script that listens to the
# audit log in real time and submits the entries to
# a remote HTTP server. This code is not suitable for
# non-trivial production use since it can only submit
# one audit log entry at a time, plus it does not handle
# errors gracefully.

 

 

--
Ryan C. Barnett
ModSecurity Community Manager

Breach Security: Director of Application Security Training
Web Application Security Consortium (WASC) Member
Author: Preventing Web Attacks with Apache

 

--------------

Web Security Threat Report Webinar on May 9, 2007 (12 pm EST)

Learn More About the Breach Webinar Series:

http://www.breach.com/webinars.asp

--------------

 


From: mod-security-users-bounces@lists.sourceforge.net [mailto:mod-security-users-bounces@lists.sourceforge.net] On Behalf Of Tomer Okavi
Sent: Thursday, March 29, 2007 2:48 PM
To: mod-security-users@lists.sourceforge.net
Subject: [mod-security-users] DDOS

 

Hi

Using 2.1.0 on apache 2.2.4 configured as reversed proxy and logging to modsecurity console
I did a benchmark on the box and accidentally triggered one of the rules.
watching the server-status page all requests were in "L" state (logging) and apache was slow with serving requests.
disabled logging with modsec-auditlog-collector.pl and the benchmark was ok.
looks like the modsec-auditlog-collector.pl performance isn't so great, and in production an attacker can easily DDOS the server by triggering a couple of thousands requests.

any one checked the performance of the logging with over 100/Req per second


Tomer