Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
In a previous Blog entry, I outlined a number of steps that you could take to increase performance of the ModSecurity open source Console. While these tuning steps will certainly help to increase performance, there is still one big issue that will bring the open source Console to its knees - too many open/active alerts in the Alert Management interface (where the URL is - http://ip_of_your_console:8886/viewAlerts). Having too many open alerts will chew up the available memory for the MUI and it will become unresponsive.
If you are in the scenario where you already have too many active alerts and the MUI is totally non-responsive, you may have to try and bypass the MUI and instead use the Java Derby DB client to interact directly with the DB listener and close the active alerts.
Here are the steps:
# ./modsecurity-console stop
You should then check the "ps" output to ensure that the Java process is not hanging. If it is, you may need to either re-execute that command or issue a kill command to that specific process number.
startNetworkServer
setting to "true"
. You will need to use the same username/password when connecting later with the Derby client.
<Service derby com.thinkingstone.juggler.components.DerbyServer>
Property password "XXXXX"
Property startNetworkServer "true"
Property host "0.0.0.0"
Property username "XXXXX"
Property port "1527"
</Service>
# ./modsecurity-console start
# netstat -nlp | grep 1527
java -classpath derbyclient.jar:derbytools.jar -Dij.driver='org.apache.derby.jdbc.ClientDriver' org.apache.derby.tools.ij
connect 'jdbc:derby://HOST:PORT/consoleDb;username=USER;password=PASS';
UPDATE alerts SET alert_status = 'CLOSED' WHERE alert_status = 'OPEN';
# ./modsecurity-console start
If you are becoming frustrated with the performance of the open source Console and/or if you have more then 3 ModSecurity sensors to manage, you may want to consider taking a look at Breach's commercial ModSecurity Management Appliance that was just recently made available. It has many significant performance increases and is an enterprise class solution (it can manage up to 50 ModSecurity Sensors).
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.