[Modsecurity] Let me ask this question again!!
Michael Shinn
mike at gotroot.com
Mon May 21 09:57:00 EDT 2007
On Mon, 2007-05-21 at 09:44 +0200, Marc Stern wrote:
> Can you give us more details about the performance problems ?
> Do you have any metrics ?
Not specifically. For the longest time, I could not even reproduce the
problems, but have been able to on some unique boxes. For what its
worth, I run all the rules on my boxes with no issues, but on some boxes
I've taken a look at there is a slow down for really large rulesets.
> What about the other solutions ? Are there better ones ?
Well, sort of and maybe, so far I'm not done evaluating what I've found,
but a good example of systems that can scale to a lot of rules is snort.
So its possible to run with lots of rules, without killing your box.
> Thanks,
>
> Marc
>
>
> Michael Shinn wrote:
> > Thanks for the question. Yes, its alive and well (I thought I was
> > pretty clear about that in a pervious mail). :-)
> >
> > The primary reasons for the long delay in releasing new rules are:
> >
> > 1) modsec can not handle a lot of rules without serious performance issues
> > 2) There does not appear to a solution to fix this limitation in
> > modsec, outside of running with less rules and jamming as many regexps
> > as possible onto one line.
> >
> > So I've been working very hard on these performance issues. I have
> > long held that purely generic rules are only a small part of a good set
> > of rules. Positive rules and negative rules each both have their place,
> > and any WAF must be able to handle thousands of rules to operate in a
> > complex environment, and not merely hundreds as seems to be the
> > "prefered" configuration. I myself run with every rules you see on gotroot.
> >
> > With that said, I deeply respect and appreciate the work of everyone on
> > the modsec team, but I do not want to just stop with the approach of
> > running with less, but more complex rules. This makes it much harder to
> > right, maintain, and document specific rules for a specific app, and
> > specific vulnerability. I believe this forces one to write too many
> > generic rules, which increases the rate of false positives.
> >
> > For example, in a hosting environment, you can expect to run with
> > thousands of rules if you customize even just a few for each vhost. And
> > if you start building rules for complicated apps, you may increase that
> > several fold - and then performance suffers. I don't want to trade
> > security for performance, or vice versa. So, the short end of it, I've
> > been working for the past 6 months on ways to solve this problem,
> > including dropping modsec altogether and going with another approach.
> >
> > And if someone from Breach is reading this, I appreciate all your hard
> > work and I sincerely hope that you are interested in embracing a vision
> > where we can run with more rules.
> >
> > Now, I will be putting out a new release shortly, with the caveat that
> > the modsec performance issues are something outside of my control in
> > those releases.
> >
> > Michael S. wrote:
> >
> > > Is this project dead or is it still alive????????????
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------------------------
> > >
> > > _______________________________________________
> > > Modsecurity mailing list
> > > Modsecurity at gotroot.com
> > > http://lists.gotroot.com/mailman/listinfo/modsecurity
> > >
> >
> > _______________________________________________
> > Modsecurity mailing list
> > Modsecurity at gotroot.com
> > http://lists.gotroot.com/mailman/listinfo/modsecurity
> >
> >
--
Michael T. Shinn KeyID:0xDAE2EC86
Key Fingerprint: 1884 E657 A6DF DF1B BFB9 E2C5 DCC6 5297 DAE2 EC86
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xDAE2EC86
Got Root? http://www.gotroot.com
modsecurity rules: http://www.modsecurityrules.com
Troubleshooting Firewalls: http://troubleshootingfirewalls.com
More information about the Modsecurity
mailing list