Re: [mod-security-users] compiling against PCRE
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] compiling against PCRE
|
From: Tom A. <tan...@oa...> - 2005-12-22 15:30:35
|
Zach Roberts wrote: > Mod_security cannot handle the thousands of rules necessary to secure > against all the security threats there seem to be. Thousands of rules? Are you mad? No wonder your server is screeching to a halt. Rather than starting with thousands of rules and slowly removing them as they are unneeded, how about starting with the bare minimum and adding rules as needed. I'd be surprised if I run with more than two dozen rules! I can understand the desire to protect against any possible entry point, but you should really customize your rule set to the applications actually running on your server. For instance, if you don't have PHP, then you shouldn't need any rules which address PHP vulnerabilities. If you don't have a blog, then you don't need blog spamming rules. And I think blacklisting rules are probably unnecessary overhead for anyone unless you can do something like a DNS block list where it is a simple query instead of a huge list of sequential rules. Finally, I would imagine that condensing rules would help significantly, but maybe someone who has time can test it for certain. But intuitively, I'd think that defining a new rule would require more instructions than tacking on elements to another rule. For instance, if you want to block these IPs: SecFilterSelective REMOTE_ADDR 192\.168\.123\.456 SecFilterSelective REMOTE_ADDR 10\.2\.3\.4 SecFilterSelective REMOTE_ADDR 172\.16\.17\.18 SecFilterSelective REMOTE_ADDR 192\.168\.123\.789 SecFilterSelective REMOTE_ADDR 192\.168\.456\.789 SecFilterSelective REMOTE_ADDR 10\.3\.4\.5 SecFilterSelective REMOTE_ADDR 10\.2\.3\.10 SecFilterSelective REMOTE_ADDR 172\.16\.17\.20 Then you should be able to write this as one rule: SecFilterSelective REMOTE_ADDR (192\.(168\.(123\.(456|789)|456\.789))|(10\.(2\.3\.(4|10)|3\.4\.5))|(172\.(16\.17\.(18|20)))) Or if you wanted to block these URLs: SecFilterSelective THE_REQUEST www\.hackers\.com SecFilterSelective THE_REQUEST www\.hackerz\.com SecFilterSelective THE_REQUEST www\.hax0rz\.com SecFilterSelective THE_REQUEST www\.h4ckers\.com SecFilterSelective THE_REQUEST www\.hack3rs\.net SecFilterSelective THE_REQUEST www\.hackerz\.net SecFilterSelective THE_REQUEST www\.h4x0rz\.net SecFilterSelective THE_REQUEST www\.h4ckerz\.net Seems like quite a cacophony of spellings, but you could use this one rule: SecFilterSelective THE_REQUEST www\.h(a|4)(ck|x)(e|3|0)r(s|z)\.(com|net) Let's say that the actual URL coming to the site is "www.h4ckerz.net"... then in the first case (multiple rules), it would begin each rule, start matching the "www\.h" and then fail, over and over again, until it finally matched the whole string. In the second case, it matches on the very first rule and only fails in part, such as on the "a" instead of "4", but then picks up where it left off without having to start all over again with a new rule. But like I said, I don't know the interal processing of these things, so it may not make a huge difference. The best thing to do would be to test it. Tom |
