Re: [mod-security-users] compiling against PCRE

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I also removed the badips and converted it into firewall rules. ipfw2 
seems to handle them just fine.

blacklist.conf has quite a bit of potential to solve a rather annoying 
problem but, 6900+ lines of rules is just too much to effectively run 
for all requests.

The rules.conf file I have now was cut down only to include applications 
that I see used. Quite a few of those seem to be for applications that 
aren't run quite as much.

Standard: 4239
Cut down:1975

After switching it back to DynamicOnly and the cutdown rules.conf 
everything seems to work just fine.

I didn't mean to say that mod_security alone was responsible but, its 
use with the complete ruleset is problematic. Optimizing and being 
selective is definitely necessary even with PCRE but, PCRE is a huge 
boost to speed any way you look at it.

Zach

Justin Grindea wrote:

> badips is good maybe on a quad opteron box :)
> while it's impossible to use them in mod_security, we found that 
> iptables can
> handle them without much pain, well, depending on the amount of 
> traffic. Our
> servers do less than 5Mb in average so it's fine.
>
> One drawback is blacklist.conf which I also drop. It should be broken 
> down to
> few files and sorted out by relevance/priority.
>
> rules.conf should also definatelly be edited, tons of junk and also 
> duplicates in
> there. Looks like author starts to use IDs for the rules so I hope it 
> will be easier
> to categorize per/server rules and make the update process easier.
>
> Also, try using DynamicOnly. How PCRE would speed up processing a 
> PDF/SWF/JPG?
>
>     Justin
>
>
> Zach Roberts wrote:
>
>> In my more updated tests it appears as if the PCRE does help quite a 
>> bit but, it still isn't enough.
>>
>> Mod_security cannot handle the thousands of rules necessary to secure 
>> against all the security threats there seem to be.
>>
>> Since gotroot.com's ruleset seems to be standard for mod_security 
>> installations I did tests with those rules.
>>
>> To start off I loaded the rules into the configuration in no 
>> particular order except exclude.conf being first and watched as the 
>> server became unstable then crashed.
>>
>> After rebooting I reordered them where the less intensive rules were 
>> first (badips.conf) and others were last but, no ordering seemed to 
>> have a very noticeable effect. The server's load went back up and it 
>> crashed again.
>>
>> By removing badips.conf, several thousand rules from rules.conf, and 
>> reordering them again I did get the server stable enough with 
>> "SecFilterEngine On" with low to medium traffic. When traffic picked 
>> up at 5PM the server load started to rise and the server crashed again.
>>
>> Any further improvements would definitely be welcomed. ;)
>>
>> Zach
>>
>> Ivan Ristic wrote:
>>
>>> Justin Grindea wrote:
>>>  
>>>
>>>> hmm, forgot to paste the output...
>>>> here it is:
>>>>   
>>>
>>>
>>>
>>>  Try this first:
>>>  <apache1-home>/bin/apxs -DUSE_PCRE -cia mod_security.c
>>>
>>>  If that works but you still need to use LoadFile
>>>  use:
>>>
>>>  LoadFile /usr/lib/libpcre.so
>>>
>>>  Otherwise just download the source from pcre.org
>>>  and install it exactly as described in the manual.
>>>
>>>  
>>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.net email is sponsored by: Splunk Inc. Do you grep through 
>> log files
>> for problems?  Stop!  Download the new AJAX search engine that makes
>> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
>> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
>> _______________________________________________
>> mod-security-users mailing list
>> mod...@li...
>> https://lists.sourceforge.net/lists/listinfo/mod-security-users
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through log 
> files
> for problems?  Stop!  Download the new AJAX search engine that makes
> searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
> http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users