Re: [mod-security-users] compiling against PCRE

[Ivan R. <iv...@we...>]

On 12/22/05, Zach Roberts <ad...@li...> wrote:
> In my more updated tests it appears as if the PCRE does help quite a bit
> but, it still isn't enough.

Hi Zach,

Thanks for the update.


> Since gotroot.com's ruleset seems to be standard for mod_security
> installations I did tests with those rules.

I have to disagree slightly. I don't think there is such thing as
standard rules for ModSecurity. That's why I don't include any with
the distribution. ModSecurity is a versatile tool. It can be applied
to many different scenarios and there can not be a single rule set
that fits them all.

Having thousands of rules in the configuration is clearly wrong, even
if there were no performance problems. Take the bad IP addresses list,
for example. It makes no sense (at least to me) to watch for them on
the Apache level. As you have noted, a much better approach is to
restrict access at the firewall. That way Apache would not even have
to bother.

ModSecurity should, in my opinion, be configured with a couple of
hundred of rules at the most. Processing of such a rule set takes only
a millisecond or two on a reasonably fast box. Processing thousands of
regular expressions for every request, where 99% of them do not apply,
is a tremendous waste of resources. For that one would clearly need to
either use specialised hardware (making the regexes much faster) or
front the web servers with a cluster of reverse proxies with
ModSecurity.

People running shared hosting facilities are clearly in a very
difficult position. (I used to do just that in my previous job, BTW.)
I think a completely different approach is needed to solve the
problem: 1) completely isolate customers from one another (so that an
intrusion in one account can not affect the others), 2) give customers
option to run certified applications (applications which can be
patched automatically), and 3) explain to those that do not choose
option 2 that they are responsible for maintaining security.

Ivan