I was just able to enable the persistent collection for IPs on one of our servers for testing purpose and
the issue happened again. I ran the sdbm-util on the ip.pag file and compared to the functioning file
I worked on yesterday, I can already see a difference.
The file I worked on yesterday was about 400MiB big and had approx. 75k entries- as the file was a little
older, the entries were all expired already. The file I have now is 1GiB big but when I run the sdbm-util
on it, (e. g. with the –s parameter) it only shows 4 elements. The file from yesterday had a fragmentation
rate of 100% whereas the current file has 25% FR. The webserver ran from this morning to this noon, so
there should be at least 50k elements in the collection.
Here is the output of the sdbm-util with –s –v parameters:
$ LD_LIBRARY_PATH=/www/lib ./modsec-sdbm-util -v -s ./ip.pag
Opening file: ./ip.pag
modsec-sdbm-util.c:57:open_sdbm(): Trying to open: ./ip.pag
modsec-sdbm-util.c:70:open_sdbm(): Trying to open: ./ip
modsec-sdbm-util.c:84:open_sdbm(): File opened.
Database ready to be used.
modsec-sdbm-util.c:200:dump_database(): Showing some status about the databases...
modsec-sdbm-util.c:157:modsec_unpack(): Expired: 1399373780, 1399373695 delta: -85
modsec-sdbm-util.c:157:modsec_unpack(): Expired: 1399373797, 1399373695 delta: -102
modsec-sdbm-util.c:157:modsec_unpack(): Expired: 1399373024, 1399373695 delta: 671
modsec-sdbm-util.c:157:modsec_unpack(): Expired: 1399373815, 1399373695 delta: -120
modsec-sdbm-util.c:297:dump_database(): Failed to retrieve the next key.
I saw that "Failed to retrieve the next key." notice for the file I worked with yesterday as
well, but only after it showed at least 75k elements.
Does this information help you to help me troubleshoot this issue?
Once the IP collection is enabled in the ruleset (in addtion to the blocking rules), the server still runs
fine… at least for a couple of hours. But after approx. 5-12 hours the logs begin to throw messages
There are some issues opened on GitHub related to similar problems. It seems that this problem is trigged in specific scenarios, so thanks for your detailed report, it is valuable.
While debugging those issues we have created the modsec-sdbm-util, which is able to open the collection file and interpret its content as ModSecurity does.
Similar problems have been reported in the following issues:
We are also working in alternatives to SDBM:
Security Researcher, SpiderLabs
Trustwave | SMART SECURITY ON DEMAND
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information
contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.