Re: [mod-security-users] [Mod-security-developers] ModSecurity version 3.0.1 announcement

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hey Robert,

On Tue, Apr 03, 2018 at 05:50:07PM -0700, Robert Paprocki wrote:
> Can you share the specifics of your evaluation? Performance in modsec + crs
> will vary greatly depending on the request payload. Soon I would like to do
> some before and after trace profiling of these releases to better illustrate
> how libmodsec performs in various conditions.

I did a minimal self-compiled NGINX with a basic ModSecurity and CRS
as documented on https://www.netnea.com/cms/nginx-modsecurity-tutorials/ .
(These new tutorials are in a draft state, the quality is not yet there. Use
with caution.)

Testrun 1:
----------

/apache/bin/ab -n 1000 -c 1 "http://localhost/index.html?test=/etc/passwd"

3.0.0
	Concurrency Level:      1
	Time taken for tests:   26.172 seconds
	Complete requests:      1000
	Failed requests:        0
	Non-2xx responses:      1000
	Total transferred:      320000 bytes
	HTML transferred:       162000 bytes
	Requests per second:    38.21 [#/sec] (mean)
	Time per request:       26.172 [ms] (mean)
	Time per request:       26.172 [ms] (mean, across all concurrent reqs)
	Transfer rate:          11.94 [Kbytes/sec] received

3.0.2
	Concurrency Level:      1
	Time taken for tests:   4.585 seconds
	Complete requests:      1000
	Failed requests:        0
	Non-2xx responses:      1000
	Total transferred:      320000 bytes
	HTML transferred:       162000 bytes
	Requests per second:    218.12 [#/sec] (mean)
	Time per request:       4.585 [ms] (mean)
	Time per request:       4.585 [ms] (mean, across all concurrent reqs)
	Transfer rate:          68.16 [Kbytes/sec] received

Testrun 2:
----------

/apache/bin/ab -n 1000 -c 1 "http://localhost/index.html?test=innocent"

3.0.0
	Concurrency Level:      1
	Time taken for tests:   26.168 seconds
	Complete requests:      1000
	Failed requests:        0
	Total transferred:      853000 bytes
	HTML transferred:       612000 bytes
	Requests per second:    38.21 [#/sec] (mean)
	Time per request:       26.168 [ms] (mean)
	Time per request:       26.168 [ms] (mean, across all concurrent reqs)
	Transfer rate:          31.83 [Kbytes/sec] received

3.0.2
	Concurrency Level:      1
	Time taken for tests:   3.996 seconds
	Complete requests:      1000
	Failed requests:        0
	Total transferred:      853000 bytes
	HTML transferred:       612000 bytes
	Requests per second:    250.25 [#/sec] (mean)
	Time per request:       3.996 [ms] (mean)
	Time per request:       3.996 [ms] (mean, across all concurrent reqs)
	Transfer rate:          208.46 [Kbytes/sec] received

Felipe tagged a 3.0.2 yesterday and made it available at
https://github.com/SpiderLabs/ModSecurity/releases
I took that one for my tests. I reckon the performance is the same as with
the 3.0.1 that has been announced.

This perf test is obviously very superficial. A thing to note is that even
testrun 2 would write the error-log (to gather statistical data).

But whatever the specifics, I think this big performance boost will show in
any setup even if the factor might not be that high.

Having real perf tests done regularly would be very welcome, Robert.

Best,

Christian

-- 
I don't believe that we have come to the end of the democratic experiment.
-- Bruce Schneier