Uploaded image for project: 'JBoss Core Services'
  1. JBoss Core Services
  2. JBCS-156

It appears that the ModSecurity module sometimes fails to increment an integer in persistent storage when many concurrent transactions are sent to the Apache web server.

    XMLWordPrintable

Details

    • CR1
    • Hide
      1. Create setup using configuration in this issue Description.
      2. Run load test using this script: 
        #!/bin/bash
for i in `seq 1 1000`;do
    curl -b "SESSIONID=testid" localhost/index.html &>/dev/null &
done
      3. You can either check the SecDebugLog or use the modsec-sdbm-util (https://github.com/SpiderLabs/modsec-sdbm-util/) to check the final count.
        • grep 'collection_store: Wrote variable: name "my_counter"' | tail -n1
        • OR
        • modsec-sdbm-util -du /dev/shm/modsec/default_SESSION
        • modsec-sdbm-util -du /dev/shm/modsec/global
        • If you have reproduced the issue, the final count will not be equal to the number of requests received by httpd.

      In my local testing, I would occasionally overload the httpd server and it was not able to receive all of the requests I sent. So, make sure you are not simply comparing the number of requests you sent to the final counter value. Make sure you check the number of request actually received into httpd against the final counter value.

      Show
      Create setup using configuration in this issue Description. Run load test using this script: #!/bin/bash for i in `seq 1 1000`; do curl -b "SESSIONID=testid" localhost/index.html &>/dev/ null & done You can either check the SecDebugLog or use the modsec-sdbm-util ( https://github.com/SpiderLabs/modsec-sdbm-util/ ) to check the final count. grep 'collection_store: Wrote variable: name "my_counter"' | tail -n1 OR modsec-sdbm-util -du /dev/shm/modsec/default_SESSION modsec-sdbm-util -du /dev/shm/modsec/global If you have reproduced the issue, the final count will not be equal to the number of requests received by httpd. In my local testing, I would occasionally overload the httpd server and it was not able to receive all of the requests I sent. So, make sure you are not simply comparing the number of requests you sent to the final counter value. Make sure you check the number of request actually received into httpd against the final counter value.

    Description

      This is the configuration that is breaking when hammered with many (~1000) concurrent requests:

          LoadModule security2_module ${MODULE_HOME}/modules/mod_security2.so
    <IfModule security2_module>
        SecRuleEngine On
        SecCollectionTimeout 15
        SecDataDir /dev/shm/modsec
        SecDebugLog /jws-3.0/httpd/logs/modsec-debug-GLOBAL-initcol.log
        SecDebugLogLevel 9

        SecRule REQUEST_COOKIES:SESSIONID !^$  phase:1,id:110,nolog,pass,setsid:%{REQUEST_COOKIES.SESSIONID}
        SecAction phase:1,id:111,nolog,pass,setvar:SESSION.my_counter=+1

        SecAction phase:1,id:112,nolog,pass,initcol:global=counter
        SecAction phase:1,id:113,nolog,pass,setvar:global.counter=+1
    </IfModule>

      The global "counter" and session "my_counter" should be equal. They should also be equal to the number of requests received by httpd in the 15 SecCollectionTimeout window.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JWS-489 It appears that the ModSecurity module sometimes fails to increment an integer in persistent storage when many concurrent transactions are sent to the Apache web server.

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed

          Activity

            People

              gzaronik@redhat.com George Zaronikas
              rhn-support-rbost Robert Bost
              Jan Onderka Jan Onderka
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: