|
From: Curtis W. <cw...@si...> - 2013-02-13 14:53:16
|
Hi Breno,
We are using the following rules - with the exception of excluding some
particular rule ID's or white listing IP's here and there, there isn't
anything really custom.
/var/asl/rules/10_asl_rules.conf
/var/asl/rules/20_asl_useragents.conf
/var/asl/rules/30_asl_antispam.conf
/var/asl/rules/50_asl_rootkits.conf
/var/asl/rules/60_asl_recons.conf
/var/asl/rules/99_asl_jitp.conf
We are using the mpm_event - as opposed to the mpm_prefork which I
understand is what is not threaded, could this be the underlying issue
as Rainer mentioned?
Following up with Rainers point, the APR pools are becoming corrupt - I
dont recall the particular function (there are a few of them) with the
following loop, all though the node in the linked list is basically
pointing to it self so, never gets freed up and consequently the loop
goes on for ever - the 'fix' we implemented originally in libapr was to
simply add a conditional break statement based on whether "c == c->next"..
(in run_child_cleanups())
while (c) {
*cref = c->next;
(*c->child_cleanup_fn)((void *)c->data);
c = *cref;
}
On 02/13/2013 05:55 AM, Breno Silva wrote:
> Curtis,
>
> Are you using some custom ruleset ? or using only CRS ?
> Maybe i can copy your configuration/ruleset and try to reproduce, for
> better investigation
>
> Thanks
>
> Breno
>
> On Wed, Feb 13, 2013 at 12:05 AM, Rainer Jung <rai...@ki...
> <mailto:rai...@ki...>> wrote:
>
> On 12.02.2013 22:26, Curtis Wood wrote:
> > Hi All,
> >
> > We seem to have found a potential issue with mod security - we
> are using
> > cPanel along with Apache 2.2.23/mod_security 2.7.1. We noticed a
> strange
> > issue with Apache last year where it would be getting caught in an
> > internal loop with the apr_pool_cleanup routines - essentially
> trying to
> > clear the same pool over and over. Initially it was thought to
> only be
> > with this customers particular website/setup - although recently
> we saw
> > the same issues on our production servers and have verified it
> is same
> > issue.
> >
> > We have disabled modsec2 fleet wide (2500+ servers) and the
> problem has
> > ceased to exist at this time. Unfortunately we have no idea what
> > triggers this, if it's a particular URL being accessed or what.
>
> Pool cleanup loops typically indicate a corruption in the pool data
> structures due to unsynchronized pool use by multiple threads. APR
> pools
> are not thread-safe.
>
> Regards,
>
> Rainer
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> <mailto:mod...@li...>
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
>
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
>
>
> _______________________________________________
> mod-security-developers mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-developers
> ModSecurity Services from Trustwave's SpiderLabs:
> https://www.trustwave.com/spiderLabs.php
|
