[Modsecurity] Let me ask this question again!!

Michael Shinn mike at gotroot.com
Sun May 20 15:30:51 EDT 2007 

Thanks for the question.  Yes, its alive and well (I thought I was
pretty clear about that in a pervious mail).  :-)

The primary reasons for the long delay in releasing new rules are:

1)  modsec can not handle a lot of rules without serious performance issues
2)  There does not appear to a solution to fix this limitation in
modsec, outside of running with less rules and jamming as many regexps
as possible onto one line.

So I've been working very hard on these performance issues.   I have
long held that purely generic rules are only a small part of a good set
of rules.  Positive rules and negative rules each both have their place,
and any WAF must be able to handle thousands of rules to operate in a
complex environment, and not merely hundreds as seems to be the
"prefered" configuration.  I myself run with every rules you see on gotroot.

With that said, I deeply respect and appreciate the work of everyone on
the modsec team, but I do not want to just stop with the approach of
running with less, but more complex rules.  This makes it much harder to
right, maintain, and document specific rules for a specific app, and
specific vulnerability.  I believe this forces one to write too many
generic rules, which increases the rate of false positives.

For example, in a hosting environment, you can expect to run with
thousands of rules if you customize even just a few for each vhost.  And
if you start building rules for complicated apps, you may increase that
several fold - and then performance suffers.  I don't want to trade
security for performance, or vice versa.   So, the short end of it, I've
been working for the past 6 months on ways to solve this problem,
including dropping modsec altogether and going with another approach.

And if someone from Breach is reading this, I appreciate all your hard
work and I sincerely hope that you are interested in embracing a vision
where we can run with more rules.

Now, I will be putting out a new release shortly, with the caveat that
the modsec performance issues are something outside of my control in
those releases.

Michael S. wrote:
> Is this project dead or is it still alive????????????
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Modsecurity mailing list
> Modsecurity at gotroot.com
> http://lists.gotroot.com/mailman/listinfo/modsecurity

More information about the Modsecurity mailing list