Re: [mod-security-users] Performance using ModSecurity with Apache 1.3.x

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 15 Dec 2005, Ivan Ristic wrote:

> However, today I tried something else: I compiled
> ModSecurity for Apache 1.3.x against PCRE instead of the
> built-in regex library. I only had a very brief time to
> test the result but it appears that everything works
> well and the regex execution speed is equal to that of
> Apache 2.x.

That sounds interesting. How does one compile Apache 1.3.x with PCRE
instead of the built-in regex engine please?

While on the subject of response time, we deployed mod_security on one of
our Apache 1.3.33 servers (PHP-4.4.1, OpenSSL-0.9.8, Apache_SSL and
mmcache-2.4.4) running Linux 2.2.26. It worked well for anything between a
few hours to a day before two, and only two, of the Apache child processes
start eating up CPU time. eg. 45% and 49%. Apache would eventually become
unresponsive and had to be restarted. Recompiling Apache without
mod_security would restore it to it's former steady running state. Any
pointers as what might be causing the high CPU consumption please?

Please see the Apache configuration section of mod_security at the end.

Regards,

Kwong Li
London

httpsd.conf mod_security section:

<IfModule mod_security.c>
    SecFilterEngine DynamicOnly
    SecFilterScanPOST On
    SecFilterSelective HTTP_Transfer-Encoding "!^$"
    SecFilterDefaultAction "deny,log,status:403"
    SecFilterInheritance On
    SecFilterCheckURLEncoding On
    SecFilterCheckUnicodeEncoding Off
    SecFilterForceByteRange 1 255  
    SecFilter "\.\./"
    SecFilter /etc/password
    SecFilter /bin/ls
    SecFilter "<(.|\n)+>"
    SecFilter "<[[:space:]]*script"
    SecFilter "delete[[:space:]]+from"
    SecFilter "insert[[:space:]]+into"
    SecFilter "drop[[:space:]]table"  
    SecFilter "select.+from"
    SecFilterSelective REQUEST_METHOD "!^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Type "!(^application/x-www-form-urlencoded$|^multipart/form-data;)"
    SecFilterSelective REQUEST_METHOD "^(GET|HEAD)$" chain
    SecFilterSelective HTTP_Content-Length "!^$"
    SecFilterSelective REQUEST_METHOD "^POST$" chain
    SecFilterDebugLog logs/modsec_debug_log
    SecFilterDebugLevel 0
    SecAuditEngine RelevantOnly
    SecAuditLog logs/audit_log
</IfModule>