I thought through that before, but I thought Modsecurity stores it in memory... I've found few e-mails on mailing lists, where users discusses about hash tables for session/ip, session/UA, but I didn't dound any other information about that.
These are "collections" that I mentioned. They are stored in a file persisted to disk in a key based SDBM format. Unfortunately this does not scale for even a moderately busy webserver as many threads attempt to access the collections at same time, and they clash and fail. More info here: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/2016-May/002145.html Anyway, is there any information about it in Modsecurity DOCS? The ModSecurity handbook discusses them in depth though don't think it mentions the unreliability of them much when it should IMHO. It's not expensive and well worth it if you really intend to use ModSecurity. 2) Virtual Patching. If a particular attack is identified it's often a lot easier to write and deploy a ModSecurity rule, than to fix in the code. yes, but this answer indicates new question(s) :). Eg. is there a good documentation about the ruleset language? I mean, where can I see the BNF of language? Where can I find any documentation how can I write a custom own rules? (Sorry, I know that's these questions aren't relates to CRS, rather to libmodsecurity.) The ModSecurity handbook is best for this, supplemented by the reference manual (https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual) which I think came from the handbook originally. Or vice versa. There's also a mailing list similar to this for ModSecurity issues rather than OWASP CRS issues. See here for details: http://modsecurity.org/help.html And then there's GitHub repositories for both for issue and change tracking: ModSecurity: https://github.com/SpiderLabs/ModSecurity OWASP CRS: https://github.com/SpiderLabs/owasp-modsecurity-crs Finally Christian also published some free tutorials as a series of blog post, which are well worth a read, though they do concentrate more on getting it up and running, which you seem to have got to on your own already: https://www.netnea.com/cms/apache-tutorials/ One of the best ways to learn the rules is to use them :-) Look at the CRS rules which are all just text based, human readable config files (though they often have very complex regex that is difficult to follow) and use Audit and Debug logs to understand them - rather than just turning them on and hoping for the best. To be honest the CRS could do with a book in itself, or greater documentation as some of the reasoning for the rules has been lost in time and isn't the easiest to understand for beginners. Ryan's book almost does that for some of them but could do with even more explanation IMHO.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
