Re: [mod-security-users] Help setting a file in a rule, how many definitions?
Brought to you by:
victorhora,
zimmerletw
From: Ivan R. <iva...@gm...> - 2010-01-26 09:35:51
|
On Mon, Jan 25, 2010 at 4:09 AM, Brian Rectanus <bri...@br...> wrote: > The @rbl operator does a lookup each time. It is essentially a dns lookup, > so not that bad performance wise. It depends. I enabled it on my server for a period of time and then noticed it had introduced about half a second of latency on the _first_ request from an IP address. I see two ways to address latency: 1. Have the RBL information available locally and use either a local RBL, or @pmFromFile. This is straightforward if you are able to get a RBL's complete zone files. 2. Perform @rbl lookups asynchronously. This requires further development work and also fails to protect from single-request exploitation. > However, to speed it up you can cache to a > persistent collection (IP) or you can create your own local rbl that is > caching locally (basicly a caching dns server that forwards all requests to > the real rbl). > > -B > > > -- > Brian Rectanus > Breach Security > > -----Original Message----- > From: Sergio [se...@gm...] > Received: 1/24/10 7:53 PM > To: Ivan Ristic [iva...@gm...] > CC: mod...@li... > [mod...@li...] > Subject: Re: [mod-security-users] Help setting a file in a rule, how many > definitions? > > Ivan, > looking other options I found that maybe using the @RBL will be better, the > only thing is that I don't see any info about how it works. I mean, does the > @RBL gets the black list and saves this in the server memory or this > function goes to the RBL site an does a search for the IP everytime an IP > connects to the server? > > Regards, > Sergio > > On Sun, Jan 24, 2010 at 11:56 AM, Ivan Ristic <iva...@gm...> wrote: >> >> I can only suggest that you report the problem as a bug: >> >> https://www.modsecurity.org/tracker/ >> >> Don't forget to upload the 7500-line file that does not work because >> it will be needed for debugging. >> >> >> On Sun, Jan 24, 2010 at 5:18 PM, Sergio <se...@gm...> wrote: >> > Thank you Ivan for your input. >> > >> > But I have a problem with my rule: >> > >> > SecRule REMOTE_ADDR "@pmFromFile myfile.txt" >> > >> > I have set in myfile.txt about 4,000 item lines and everything went >> > fine, >> > but then I increased this to 7,500 and then the rule didn't work. >> > >> > I am using this file to write there IPs that I want to check when >> > connected >> > to my server and I was glad with the results but it seems that the file >> > has >> > a limit. >> > >> > I have double checked that there are no white spaces nor duplicates but >> > the >> > error continues. >> > >> > Just in case it helps, my server is CPanel with REHL 5.4 and 4GB of RAM. >> > >> > Once again, thank you for any input you can share with me. >> > >> > Regards, >> > Sergio >> > >> > On Sun, Jan 24, 2010 at 10:01 AM, Ivan Ristic <iva...@gm...> >> > wrote: >> >> >> >> On Sat, Jan 23, 2010 at 4:51 PM, Sergio <se...@gm...> wrote: >> >> > Hi to all, >> >> > I am new on this list and I want to say hi to everyone. >> >> > >> >> > Sorry if this question has been posted before, but my first time here >> >> > and I >> >> > don't know where to search on the mailing list. >> >> > >> >> > Well, I have this issue, I am setting a new rule were I am using a >> >> > .TXT >> >> > file >> >> > to input some definitions like domain names or IPs. So, I just want >> >> > to >> >> > know, >> >> > how many lines a file of this type can handle? >> >> >> >> I am assuming you've encountered a problem with a large list of >> >> phrases? I've just looked into the source code of ModSecurity and >> >> there's no obvious limit there. I did find something else, though: >> >> >> >> - Whitespace around phrase lines is not stripped. Thus, stray >> >> whitespace after patterns (which is difficult to spot) may cause >> >> issues. >> >> >> >> - The code currently strips only one LF from the end of each line, but >> >> leaves CR (if present). That too may cause issues (e.g., if you're >> >> editing your files on Windows). >> >> >> >> FYI, I've opened an issue for the above problems: >> >> https://www.modsecurity.org/tracker/browse/MODSEC-126 >> >> >> >> -- >> >> Ivan Ristic >> >> ModSecurity Handbook [https://www.feistyduck.com] >> >> SSL Labs [https://www.ssllabs.com/ssldb/] >> > >> > >> >> >> >> -- >> Ivan Ristic >> ModSecurity Handbook [https://www.feistyduck.com] >> SSL Labs [https://www.ssllabs.com/ssldb/] > > -- Ivan Ristic ModSecurity Handbook [https://www.feistyduck.com] SSL Labs [https://www.ssllabs.com/ssldb/] |