17 Aug 13:26
Re: Performance tip
From: Ryan Barnett <rcbarnett <at> gmail.com>
Subject: Re: Performance tip
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-17 11:26:30 GMT
Subject: Re: Performance tip
Newsgroups: gmane.comp.apache.mod-security.user
Date: 2006-08-17 11:26:30 GMT
Interesting. I have been wondering the same thing with regards to overall performance (clean regular expressions + number of total signatures). A few road blocks that I see preventing more people from trying to consolidate their sigs like this are -
1) Readibility - sometimes is becomes hard to read the regexp string (and it associated meaning) when you combine many different rules into on. For instance, those users who use the snort2modsec.pl script usually like to see the Snort message info for the vuln to clearly understand what this sigs is looking for.
2) Signature IDs - this may cause problems with tracking signatures that trigger. Example - I have associated unique sig IDs with every filter rule. This way, when I read the mod_security-message info the gets sent to me in email when a rule triggers, I can quick do a search for the sig ID in my rule conf file for the rule that triggered.
Then again, I am sure that there is some middle ground here where easy/simple rules could be combined together to help reduce the overhead.
--
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
CIS Apache Benchmark Project Lead
SANS Instructor, GCIA, GCFA, GCIH, GSNA, GCUX, GSEC
Author: Preventing Web Attacks with Apache
On 8/17/06, Ivan Ristic <ivan.ristic <at> gmail.com> wrote:
I thought you might find this interesting:
http://www.modsecurity.org/blog/archives/2006/08/modsecurity_per.html
--
Ivan Ristic, Technical Director
Thinking Stone, http://www.thinkingstone.com
ModSecurity: Open source Web Application Firewall
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
mod-security-users mailing list
mod-security-users <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________ mod-security-users mailing list mod-security-users <at> lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/mod-security-users
RSS Feed