Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
Get access to immediate incident response assistance.
Get access to immediate incident response assistance.
Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More
You will find the greatest benefit of using the set based matching opertors when you have a requirement to look for an extremely large word list in the variable data. A perfect example of this is if you want to search request content for the presence of SPAM keywords or references to known SPAM hosting locations. The GotRoot rule set includes a rule file called blacklist.conf that includes rules that look similar following and has a approximately 7600 individual rules:
SecRule HTTP_Referer|ARGS "best-deals-blackjack\.info" SecRule HTTP_Referer|ARGS "best-deals-casino\.info" SecRule HTTP_Referer|ARGS "best-deals-cheap-airline-tickets\.info" SecRule HTTP_Referer|ARGS "best-deals-diet\.info" SecRule HTTP_Referer|ARGS "best-deals-flowers\.info" SecRule HTTP_Referer|ARGS "best-deals-hotels\.info" SecRule HTTP_Referer|ARGS "best-deals-online-gambling\.info" SecRule HTTP_Referer|ARGS "best-deals-online-poker\.info" SecRule HTTP_Referer|ARGS "best-deals-poker\.info" SecRule HTTP_Referer|ARGS "best-deals-roulette\.info" SecRule HTTP_Referer|ARGS "best-deals-weight-loss\.info" SecRule HTTP_Referer|ARGS "bestdims\.com" SecRule HTTP_Referer|ARGS "bestdvdclubs\.com" SecRule HTTP_Referer|ARGS "best-e-site\.com" SecRule HTTP_Referer|ARGS "best-gambling\.biz" SecRule HTTP_Referer|ARGS "bestgamblinghouseonline\.com"
Let's see the average time that it takes ModSecurity to run through all of these individual rules in phase:2.
# head -3 /usr/local/apache/logs/modsec_debug.log [20/Jan/2008:02:45:49 --0500] [www.example.com/sid#903df48][rid#9f9dab8][/cgi-bin/foo.cgi][1] Phase 1: 18 usec [20/Jan/2008:02:45:49 --0500] [www.example.com/sid#903df48][rid#9f9dab8][/cgi-bin/foo.cgi][1] Rule 918e140 [id "-"][file "/usr/local/apache/conf/rules/modsecurity_crs_10_config.conf"][line "86"]: 10 usec [20/Jan/2008:02:59:47 --0500] [www.example.com/sid#903df48][rid#9f9dab8][/cgi-bin/foo.cgi][1] Phase 2: 83751 usec
So, it took 83751 usec to process the ~7600 individual rules. Now, lets run a similar test however this time, we will use the @pmFromFile operator and the input file will have approximately the same number of text lines. Instead of having thousands of individual SecRule lines, I will use this one line:
SecRule REQUEST_HEADERS:Referer|ARGS "@pmFromFile spam_domains.txt"
The spam_domains.txt file contains approximately 6900 lines such as these:
01-beltonen.com 01-klingeltoene.at 01-klingeltoene.de 01-loghi.com 01-logo.com 01-logot.com 01-logotyper.com 01-melodia.com 01-melodias.com 01-ringetone.com
When I run the same test with this new rule that uses the @pmFromFile operator, you can see the dramatic difference in processing time:
# head -4 /usr/local/apache/logs/modsec_debug.log [20/Jan/2008:03:20:45 --0500] [webapphoneypot/sid#8971f48][rid#923bf58][/cgi-bin/foo.cgi][1] Phase 1: 20 usec [20/Jan/2008:03:20:45 --0500] [webapphoneypot/sid#8971f48][rid#923bf58][/cgi-bin/foo.cgi][1] Rule 9202980 [id "-"][file "/usr/local/apache/conf/rules/modsecurity_crs_10_config.conf"][line "86"]: 11 usec [20/Jan/2008:03:20:45 --0500] [webapphoneypot/sid#8971f48][rid#923bf58][/cgi-bin/foo.cgi][1] Phase 2: 10 usec [20/Jan/2008:03:20:45 --0500] [webapphoneypot/sid#8971f48][rid#923bf58][/cgi-bin/foo.cgi][1] Rule 9203890 [id "-"][file "/usr/local/apache/conf/rules/modsecurity_crs_15_customrules.conf"][line "1"]: 6 usec
As you can see, it only took 6 usec to complete the @pmFromFile set based matching operator check! That is a gigantic improvement for overall performance.
Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.
Copyright © 2024 Trustwave Holdings, Inc. All rights reserved.