Uploaded image for project: 'JBoss Web Server'
  1. JBoss Web Server
  2. JWS-596

ModSecurity persistent SESSION storage loss in data

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Obsolete
    • Icon: Critical Critical
    • None
    • JWS 3.0.2 GA, JWS 3.0.3 GA
    • httpd
    • Hide
      1. Add this configuration: 
            LoadModule security2_module modules/mod_security2.so
    <IfModule security2_module>
    
        SecRuleEngine On
    
        SecCollectionTimeout 15
    
        SecDataDir var/
    
        SecDebugLog logs/modsec-debug-SESSION.log
        SecDebugLogLevel 9
    
        SecAction 'id:1210,phase:1,t:none,noauditlog,nolog, \
                  setsid:constant, \
                  pass'
    
        SecRule   SESSION:IS_NEW '@eq 1' \
                  'id:1220,phase:1,t:none,noauditlog,nolog, \
                  setvar:SESSION.counter=+1, \
                  skipAfter:1230'
    
        SecAction 'id:1230,phase:1,t:none,noauditlog,nolog, \
                  setvar:SESSION.counter=+1, \
                  pass'
    </IfModule>
      2. Use this script to reproduce the issue: 
        #!/bin/bash
for i in \`seq 1 1000\`;do
    curl  localhost &>/dev/null &
done
      3. Reproduce the issue by: 
        # ./sbin/apachectl start
# ./script.sh
      4. Finally, check the logs. The `wc` command should show 1000 (or the num of requests you have set in `script.sh`. The grep will show the last counter increment which we would expect to be 1000 since 1000 requests were sent but it will be too low. 
        # wc -l logs/access_log
# grep 'Wrote variable: name "counter", value "' logs/modsec-debug-SESSION.log | tail -1
#
      Show
      Add this configuration: LoadModule security2_module modules/mod_security2.so <IfModule security2_module> SecRuleEngine On SecCollectionTimeout 15 SecDataDir var / SecDebugLog logs/modsec-debug-SESSION.log SecDebugLogLevel 9 SecAction 'id:1210,phase:1,t:none,noauditlog,nolog, \ setsid:constant, \ pass' SecRule SESSION:IS_NEW '@eq 1' \ 'id:1220,phase:1,t:none,noauditlog,nolog, \ setvar:SESSION.counter=+1, \ skipAfter:1230' SecAction 'id:1230,phase:1,t:none,noauditlog,nolog, \ setvar:SESSION.counter=+1, \ pass' </IfModule> Use this script to reproduce the issue: #!/bin/bash for i in \`seq 1 1000\`; do curl localhost &>/dev/ null & done Reproduce the issue by: # ./sbin/apachectl start # ./script.sh Finally, check the logs. The `wc` command should show 1000 (or the num of requests you have set in `script.sh`. The grep will show the last counter increment which we would expect to be 1000 since 1000 requests were sent but it will be too low. # wc -l logs/access_log # grep 'Wrote variable: name "counter" , value "' logs/modsec-debug-SESSION.log | tail -1 #

      Initially reported in JWS-489 which is tracking persistent GLOBAL storage.

      When there is a high number of concurrent requests to httpd and ModSecurity is configured to increment a counter for each request, there is a loss in counter increments. When using persistent SESSION storage, the loss in counter increments is significant.

      This issue would cause a ModSecurity DOS solution to be rendered useless.

              rhn-engineering-jclere Jean-Frederic Clere
              rhn-support-rbost Robert Bost
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: