Re: [mod-security-users] Performance using ModSecurity with Apache 1.3.x

[K. C. L. <li...@la...>]

On Fri, 16 Dec 2005, Ivan Ristic wrote:

>   That's not what I did. I simply changed ModSecurity to
>   use PCRE directly, ignoring the regex library that comes
>   with Apache 1.3.x.

Ah, I see. No wonder I couldn't see any option to select which regex
engine to use in Apache or PHP.

>   Hmmm, yours is the first report to mention ModSecurity malfunctioning
>   like that. (And, for the record, I don't get many bug reports either ;)

It is probably our configuration rather than mod_security that is causing
the problem. It is a great idea and we couldn't wait to have it running
properly. Some popular applications such as phpNuke are so full of
security holes that it is a nightmare for any sysadmin.

>   Is that something that happened to you once, or is it something that
>   happens every time you turn ModSecurity on? Also, which version of

We switched it on twice. The first time the high CPU usage occurred a few
hours into the running. The second time the high CPU usage occurred about
a day later. But when it occurs, Apache would effectively hang until
restarted.

>   ModSecurity did you use?

Sorry, I should have given that information initially. It is version
1.9.1.

>   If you are up for it (I am) maybe you can do some of the things
>   listed in the Apache debugging guide:
> 
>   http://httpd.apache.org/dev/debugging.html
> 
>   Starting with strace, for example.

The Apache server is quite busy so would probably produce a large amount
of strace or debugging information. I'll have a read and see what are
practical to do. Thanks.

> > SecFilterSelective REQUEST_METHOD "^POST$" chain
> 
>   ^ Another directive is supposed to come after this one. (It's not
>     something that would have brought a process down, though.)

Sorry, I have omitted it by mistake on copying. It should be followed by:

SecFilterSelective HTTP_Content-Length "^$"

Regards,

Kwong Li
London