Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
httpd 2.4.6 GA
-
None
Description
Customer reported issues with the ModSecurity database growing very large when running tests. We have confirmed the issue with a simple reproducer and split the issue into two separate problems:
- Garbage collection does not run as expected in ModSecurity 2.8.0 shipped with JWS 3.0.x. This means, expired variables are not removed and database continues to grow in size.
- This issue has already been resolved upstream in ModSecurity 2.9.0
https://github.com/SpiderLabs/ModSecurity/pull/836
- This issue has already been resolved upstream in ModSecurity 2.9.0
- Once the database file grows to a size, it does not decrease in size. Below is a simple reproducer to demonstrate the behavior.
<IfModule mod_security2.c> SecRuleEngine On SecDebugLog /var/log/httpd24/modsec_debug.log SecDebugLogLevel 9 SecTmpDir /var/cache/mod_security SecDataDir /var/cache/mod_security # Collections will be garbage collected after 60 seconds SecCollectionTimeout 60 # Initialize session collection SecRule REQUEST_COOKIES:SESSIONID !^$ phase:1,id:118,nolog,pass,setsid:%{REQUEST_COOKIES.SESSIONID} # Increment session counter SecAction phase:1,id:119,nolog,pass,setvar:SESSION.my_counter=+1 </IfModule>
And here is a reproducer script:
#!/bin/bash for i in `seq 1 50000`;do curl -b "SESSIONID=test$i" localhost/index.html &>/dev/null Done
Now, start watching the number of database entries and compare to file size. This command helps with that:
# watch -n1 'modsec-sdbm-util /var/cache/mod_security/default_SESSION -du | grep " my_counter" | wc -l && ls -lah /var/lib/mod_security/default_SESSION.pag'
First number is the database entry count and below will be the database file.