|
From: Robert P. <rpa...@fe...> - 2018-04-04 21:05:29
|
Hi, On Wed, Apr 4, 2018 at 1:20 PM, Felipe Costa <FC...@tr...> wrote: > > I like the idea of having multiple rules set and versions. My rationale is > that > ModSecurity was not designed to run a single rule set, nor a rule set > version. > It may be optimized for a specific rule set, but still, what are the > consequences of > the optimizations for the others.... At this point it makes sense to focus > only the public > rules set, but we might need to take into consideration other rule sets as > well. > I wholeheartedly agree. This is one of the largest drawbacks of ModSecurity's design, IMO. Trying to separate *engine* performance from *rule* performance was a big focus while developing lua-resty-waf, and we still don't have it down right. Trying to write a highly optimized engine for an arbitrary DSL is a tall order. At this point, I don't think that there needs to be specific optimization/tuning done that is geared specifically toward any particular ruleset. Indeed, "ruleset" is a nebulous topic in its own right. I think we've clearly shown in this thread that there are hot paths within the engine itself that can use improvement. I do not mean to criticize any of the development team by this; I simply wish to highlight the nature of what we've found through some basic benchmarking and profiling. I suspect further investigative efforts will shed more light on areas where both community-back rulesets, and the ModSecurity rule engine, can be improved. |
