'Re: [mod-security-users] Looks like memory leakage on nginx 1.6.0/modsecurity 2.8.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mod-security-users
Subject:    Re: [mod-security-users] Looks like memory leakage on nginx 1.6.0/modsecurity 2.8.0
From:       Felipe Costa <FCosta () trustwave ! com>
Date:       2015-01-23 3:04:57
Message-ID: D0E73C84.BD5A%fcosta () trustwave ! com
[Download RAW message or body]

Hi,

Regarding our nginx version we do have a set of patches
That may help you with some of the issues that you are
currently facing. Those patches are available at the
branch nginx_refactoring, here:


- https://github.com/SpiderLabs/ModSecurity/tree/nginx_refactoring

There are known issues in the nginx_refactoring branch
that made us _hold_ the merge with our mailine.

You can also try to set SecBodyRequest to Off and run
the tests again. One of the known issues is related
to request body.


More info on SecBodyRequest here:
-
https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#secrequestb
odyaccess


Br.,
Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs

Trustwave | SMART SECURITY ON DEMAND
www.trustwave.com
<http://www.trustwave.com/>







From:  "flowdragon@qq.com" <flowdragon@qq.com>
Reply-To:  "mod-security-users@lists.sourceforge.net"
<mod-security-users@lists.sourceforge.net>
Date:  Thursday, January 22, 2015 at 11:38 PM
To:  mod-security-users <mod-security-users@lists.sourceforge.net>
Subject:  [mod-security-users] Looks like memory leakage on
nginx   1.6.0/modsecurity 2.8.0


Hi,
    I tested modsecurity 2.8.0 with nginx 1.6.0 over times and found every
time when i tested to scan the web, the nginx processes take huge memory
and swap resources.

    my problems is :
    1. the huge resources taken by nginx+modsecurity
    2. i drop the remote_addr of banned ip in phase:1, but the requests
still phase in phase4

    (problem 1, resources)  i dont know what is the problem, here is my
test results which had finished.
    1. nginx with reserve proxy mode
    2. without modsecurity On, the average cpu is 0.4%, memory 115MB, swap
600MB more or less
    3. with On, it takes all the memory (64GB total,) and almost the same
size of swap , like 2 processes of nginix with 27GB swap and memory each,
or 10GB swap and memory with 5 nginx processes.
    4. it looks like it always happened after ruleID 200005 showed in the
log, TX:MSC_PCRE_LIMITS_EXCEEDED

    (problem 2, not work in the rules)
#Too many errors,block IP, error 50times, block 3600s

SecRule REMOTE_ADDR "@streq %{ip.blocked}"
"id:'1',phase:1,drop,log,msg:'IP blocked
%{ip.blocked}',expirevar:ip.blocked=3600"

SecRule IP:SCAN_BLOCK_FLAG "@ge 1"
"id:'250',phase:1,t:none,drop,log,msg:'IP drop
%{REMOTE_ADDR}',expirevar:ip.scan_block_flag=3600,setvar:ip.scan_block=+2"

SecRule RESPONSE_STATUS "^4[0-9][0-9]$"
"id:'256',phase:3,t:none,pass,nolog,setvar:IP.scan_block=+1,setvar:ip.scan_
deny=+1,"

SecRule IP:SCAN_DENY "@ge 40" "id:'31',phase:1,t:none,drop,log,msg:'drop
connection of
%{REMOTE_ADDR}',setvar:ip.scan_deny=+1,expirevar:ip.scan_deny=1200,setvar:i
p.blocked=%{REMOTE_ADDR}"
        #SecRule REMOTE_ADDR "@streq %{ip}"

SecRule IP:SCAN_BLOCK "@ge 50"
"id:'255',phase:1,t:none,deny,status:401,log,msg:'Scan Detect, IP block
%{REMOTE_ADDR}',setvar:!IP.scan_block,setvar:ip.scan_block_flag=1"

SecAction
id:'299',phase:5,deprecatevar:ip.scan_block=1/2,deprecatevar:ip.scan_deny=1
/2,nolog,pass


-------------------------
CPU: Intel(R) Xeon(R) CPU E7-4820 v2 @ 2.00GHz  * 12 core
MemTotal:       65972856 kB
 Swap: 33054712k total

------------------------
nginx version: nginx/1.6.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
TLS SNI support enabled
configure arguments: --with-http_gzip_static_module
--prefix=/usr/local/nginx --with-http_realip_module --with-http_ssl_module
--with-http_stub_status_module --add-module=/usr/local/ngx_cache_purge-2.1
--add-module=/usr/local/health
--add-module=../modsecurity/nginx/modsecurity


This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by modsecurity configure 2.8, which was
generated by GNU Autoconf 2.69.  Invocation command line was

  $ ./configure --with-yajl --enable-standalone-module --disable-mlogc
--enable-pcre-match-limit=900000 --enable-pcre-match-limit-recursion=900000


-----------------------

________________________________________
flowdragon@qq.com


________________________________

This transmission may contain information that is privileged, confidential, and/or \
exempt from disclosure under applicable law. If you are not the intended recipient, \
you are hereby notified that any disclosure, copying, distribution, or use of the \
information contained herein (including any reliance thereon) is strictly prohibited. \
If you received this transmission in error, please immediately contact the sender and \
destroy the material in its entirety, whether in electronic or hard copy format.

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic