Re: [mod-security-users] ModSecurity phase timing
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] ModSecurity phase timing
|
From: Christian F. <chr...@ne...> - 2018-03-23 20:28:00
|
Hey Zimmerle, That makes sense, but I think it does not hold up when you look closer. Correct me if I am wrong, but correlating stap with an individual request is much more difficult than saving the perf-data out of ModSec directly into the access-log (Apache / ModSec 2.9) or error-log (NGINX / ModSec 3.0). Also, I think the DURATION variable is not yet implemented in 3.0. Or did I make a mistake when I found it was always empty? Best, Christian On Fri, Mar 23, 2018 at 01:14:04PM +0000, Felipe Costa wrote: > Hi Gregory, > > Indeed, the PERF_ related variables are not supported in v3. The reason for that is the fact that you can use linux instrumentation to measure those performance numbers with better accuracy. As the PERF generation itself was already impacting on the performance. > > For further info, please have a look here: https://github.com/SpiderLabs/ModSecurity/issues/1011 > > Br., > Felipe “Zimmerle” Costa > Security Researcher, Lead Developer ModSecurity. > > Trustwave | SMART SECURITY ON DEMAND > www.trustwave.com<http://www.trustwave.com/> > > From: Gregory LeFevre <gr...@cl...> > Reply-To: "mod...@li..." <mod...@li...> > Date: Wednesday, March 21, 2018 at 12:21 AM > To: "mod...@li..." <mod...@li...> > Subject: [mod-security-users] ModSecurity phase timing > > > Hello, > > Is access to phase timing known to work in ModSecurity 3.x with Nginx? > > For example, should I be able to write a SecAction in phase:5 to log PERF_PHASE2, or PERF_ALL, etc.? > > I'm using an earlier version of Nginx, and I have such rules, and lines for them do, in fact, show up in the log, but without the performance information. For example, this (which I include in RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf): > > SecAction "id:90110, phase:5, pass, t:none, log, noauditlog, msg:'PERF_ALL: %{PERF_ALL}'" > > shows up in the log as: > > ... [id "90110"] [rev ""] [msg "PERF_ALL: "] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] ... > > Just curious whether this should be considered possible now or whether anyone already may have had success doing so. > > Thank you, > > Gregory > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > mod-security-users mailing list > mod...@li... > https://lists.sourceforge.net/lists/listinfo/mod-security-users > Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: > http://www.modsecurity.org/projects/commercial/rules/ > http://www.modsecurity.org/projects/commercial/support/ -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:chr...@ne... twitter: @ChrFolini |
