Hi Ryan, 

You're right. I'll move to the CRS list.

On Mon, Oct 24, 2011 at 7:32 PM, Ryan Barnett <RBarnett@trustwave.com> wrote:
It is more than limely a rules issue  What rules are you using?  If it is the OWASP CRS, I would suggest that send a note to the CRS mail-list o discuss -



On Oct 24, 2011, at 1:08 PM, "rm4dillo D" <rm4dillo@gmail.com> wrote:

Correction: I'm talking about microseconds (us) not milliseconds (ms)

On Mon, Oct 24, 2011 at 6:54 PM, rm4dillo D <rm4dillo@gmail.com<mailto:rm4dillo@gmail.com>> wrote:

I recently installed ModSecurity on a high traffic server and the CPU usage almost reached 100% while it's usually around 2 to 5%. Then, I tried to benchmark ModSecurity by simply using Apache HTTP benchmarking tool ( ab -n ... http://localhost/ ) and I got the following results:

- Without ModSecurity : 416ms / request
- ModSecurity without rules : 482ms / request
- ModSecurity with basic rules (paranoid mode off, SecResponseBodyAccess off) : 2241ms / request ?!!

I have no false positives, so it's not related to massive logging.

I also did some profiling on Apache HTTPD and noticed that 40% of the CPU time is spent in "modsecurity_process_phase_request_body". In my opinion, it's not that surprising...

Any ideas or hints?

Thank you in advance!


The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.