Thread: [mod-security-users] Loads of gettimeofday() calls when using mod_security2 + gotroot rules
Brought to you by:
victorhora,
zimmerletw
From: Mark Z. <mar...@pi...> - 2007-05-15 10:18:30
|
Hi there, I've just been profiling some servers we're about to deploy, and I've been using `strace httpd -X` to look at the performance. When we run the server normally, the strace output is pretty short, but when we add mod_security2.1.1 to the mix (using gotroot.com rules, with one or two disabled but without the blacklists, and a few of our own rules), we get something like 1750 gettimeofday() calls, aprox every 50 microseconds, between the lstat64() of the file that has been requested (a 20-byte html file), and its open(). What is the purpose of these calls? I'm guessing it's something like regex speed debugging, but is it really needed? Is there some way to disable this in apache config or in source? Thanks, Mark -- Mark Zealey Product Development * Pipex Hosting mar...@pi... This mail is subject to this disclaimer: http://www.pipex.net/disclaimer.html |
From: Brian R. <Bri...@br...> - 2007-05-15 14:40:45
|
Mark Zealey wrote: > Hi there, > > I've just been profiling some servers we're about to deploy, and I've > been using `strace httpd -X` to look at the performance. When we run the > server normally, the strace output is pretty short, but when we add > mod_security2.1.1 to the mix (using gotroot.com rules, with one or two > disabled but without the blacklists, and a few of our own rules), we get > something like 1750 gettimeofday() calls, aprox every 50 microseconds, > between the lstat64() of the file that has been requested (a 20-byte > html file), and its open(). What is the purpose of these calls? I'm > guessing it's something like regex speed debugging, but is it really > needed? Is there some way to disable this in apache config or in source? Turn off/down the debug_log and that will help as a gettimeofday is called for each log entry. You can do something like this (I'll change that for the next release as well): Index: apache2/re.c =================================================================== --- apache2/re.c (revision 247) +++ apache2/re.c (working copy) @@ -1181,7 +1181,9 @@ var->value_len)); } - time_before_regex = apr_time_now(); /* IMP1 time_before_regex? */ + if (msr->txcfg->debuglog_level >= 4) { + time_before_regex = apr_time_now(); /* IMP1 time_before_regex? */ + } rc = rule->op_metadata->execute(msr, rule, var, &my_error_msg); if (msr->txcfg->debuglog_level >= 4) { msr_log(msr, 4, "Operator completed in %" APR_TIME_T_FMT " usec.", I doubt it is that much overhead, but you could modify the record_time_checkpoint() function in apache2_util.c to not call apr_time_now() and then modify msc_logging.c to not set the Stopwatch header in the audit log. Now, if you are just trying to filter this out of strace, use -e 'trace=!gettimeofday' :) If you see a huge difference in your profiling, then let me know. thanks, -B -- Brian Rectanus Breach Security |