Looking for a way to measure response time

44 views
Skip to first unread message

john smith

unread,
Feb 28, 2020, 12:50:36 PM2/28/20
to ModSecurity Core Rule Set project
Hi,

I'm looking for a way with either modsec or apache to measure the amount of time it takes the server to respond as part of a DOS poc i'm doing.
Can anyone suggest if this is possible?
I didn't find anything relevant in the wiki so far.

Paul Beckett

unread,
Feb 28, 2020, 1:02:28 PM2/28/20
to john smith, ModSecurity Core Rule Set project
John,
Christian Folini's modsecurity tutorials have some performance measuring code, a simplified variation on this would probably be used to do what you're looking for.



# === ModSec timestamps at the start of each phase (ids: 90000 - 90009)

SecAction "id:90000,phase:1,nolog,pass,setvar:TX.ModSecTimestamp1start=%{DURATION}"
SecAction "id:90001,phase:2,nolog,pass,setvar:TX.ModSecTimestamp2start=%{DURATION}"
SecAction "id:90002,phase:3,nolog,pass,setvar:TX.ModSecTimestamp3start=%{DURATION}"
SecAction "id:90003,phase:4,nolog,pass,setvar:TX.ModSecTimestamp4start=%{DURATION}"
SecAction "id:90004,phase:5,nolog,pass,setvar:TX.ModSecTimestamp5start=%{DURATION}"
...
# === ModSec timestamps at the end of each phase (ids: 90010 - 90019)

SecAction "id:90010,phase:1,pass,nolog,setvar:TX.ModSecTimestamp1end=%{DURATION}"
SecAction "id:90011,phase:2,pass,nolog,setvar:TX.ModSecTimestamp2end=%{DURATION}"
SecAction "id:90012,phase:3,pass,nolog,setvar:TX.ModSecTimestamp3end=%{DURATION}"
SecAction "id:90013,phase:4,pass,nolog,setvar:TX.ModSecTimestamp4end=%{DURATION}"
SecAction "id:90014,phase:5,pass,nolog,setvar:TX.ModSecTimestamp5end=%{DURATION}"


# === ModSec performance calculations and variable export (ids: 90100 - 90199)

SecAction "id:90100,phase:5,pass,nolog,\
  setvar:TX.perf_modsecinbound=%{PERF_PHASE1},\
  setvar:TX.perf_modsecinbound=+%{PERF_PHASE2},\
  setvar:TX.perf_application=%{TX.ModSecTimestamp3start},\
  setvar:TX.perf_application=-%{TX.ModSecTimestamp2end},\
  setvar:TX.perf_modsecoutbound=%{PERF_PHASE3},\
  setvar:TX.perf_modsecoutbound=+%{PERF_PHASE4},\
  setenv:ModSecTimeIn=%{TX.perf_modsecinbound},\
  setenv:ApplicationTime=%{TX.perf_application},\
  setenv:ModSecTimeOut=%{TX.perf_modsecoutbound},\
  setenv:ModSecAnomalyScoreInPLs=%{tx.anomaly_score_pl1}-%{tx.anomaly_score_pl2}-%{tx.anomaly_score_pl3}-%{tx.anomaly_score_pl4},\
  setenv:ModSecAnomalyScoreOutPLs=%{tx.outbound_anomaly_score_pl1}-%{tx.outbound_anomaly_score_pl2}-%{tx.outbound_anomaly_score_pl3}-%{tx.outbound_anomaly_score_pl4},\
  setenv:ModSecAnomalyScoreIn=%{TX.anomaly_score},\
  setenv:ModSecAnomalyScoreOut=%{TX.outbound_anomaly_score}"

Cheers,
Paul


--
You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/7f2105ad-3dc5-4369-8204-5a5b5257323a%40owasp.org.

Christian Folini

unread,
Feb 28, 2020, 2:38:52 PM2/28/20
to Paul Beckett, john smith, ModSecurity Core Rule Set project
Hey John,

Like Paul said. Plus one of the earlier tutorials explains how to display
this into the access log for easy reporting.

Cheers,

Christian
> > <https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/7f2105ad-3dc5-4369-8204-5a5b5257323a%40owasp.org?utm_medium=email&utm_source=footer>
> > .
> >
>
> --
> You received this message because you are subscribed to the Google Groups "ModSecurity Core Rule Set project" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-...@owasp.org.
> To view this discussion on the web visit https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/CAHENypGvKr6rwTZfrrmGWZsz8-Atx3Z2MFRe_dAjQfKK2PhhiA%40mail.gmail.com.

john smith

unread,
Mar 15, 2020, 12:30:12 AM3/15/20
to ModSecurity Core Rule Set project, paul.bec...@gmail.com, crop...@gmail.com, christia...@netnea.com
Hi Again,

After spending more time on this i've come to the conclusion that i either lack knowledge on this or what i need isn't possible, therefore i will try to explain it in details hoping you can help me to a solution.

I'm looking to recreate something like the slowloris attack, as mentioned here:

Only i don't actually want to:
1. cause a real DOS to the server
2. rely on connections for this

So in other words i'm looking for something i can add to the request like the CRLF in the attack that will cause slow requests that can be identified by Modsecurity and provide an error to the log while sending regular requests without the CRLF would be just fine.

Obviously i haven't thought about it too much at first but then after reading about the attack again if it's really stuck on open request headers it doesn't get anywhere from there, so i might be looking for something else to slow down requests.

Any ideas?
> To unsubscribe from this group and stop receiving emails from it, send an email to modsecurity-core-rule-set-project+u...@owasp.org.

Christian Folini

unread,
Mar 16, 2020, 12:59:47 AM3/16/20
to john smith, ModSecurity Core Rule Set project, paul.bec...@gmail.com
Hey John,

ModSec will only see the request when the header phase is over. ModSec phase:1
will run when all the ReqHeaders have arrived at the server.

Therefore ModSec is in a bad position to fight slowloris and other variants of
this attack. You need something closer to the actual traffic.

Ahoj,

Christian
> > > On Fri, 28 Feb 2020, 17:50 john smith, <crop...@gmail.com <javascript:>>
> > wrote:
> > >
> > > > Hi,
> > > >
> > > > I'm looking for a way with either modsec or apache to measure the
> > amount
> > > > of time it takes the server to respond as part of a DOS poc i'm doing.
> > > > Can anyone suggest if this is possible?
> > > > I didn't find anything relevant in the wiki so far.
> > > >
> > > > --
> > > > You received this message because you are subscribed to the Google
> > Groups
> > > > "ModSecurity Core Rule Set project" group.
> > > > To unsubscribe from this group and stop receiving emails from it, send
> > an
> > > > email to modsecurity-core-rule-...@owasp.org
> > <javascript:>.
> > > > To view this discussion on the web visit
> > > >
> > https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/7f2105ad-3dc5-4369-8204-5a5b5257323a%40owasp.org
> > > > <
> > https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/7f2105ad-3dc5-4369-8204-5a5b5257323a%40owasp.org?utm_medium=email&utm_source=footer>
> >
> > > > .
> > > >
> > >
> > > --
> > > You received this message because you are subscribed to the Google
> > Groups "ModSecurity Core Rule Set project" group.
> > > To unsubscribe from this group and stop receiving emails from it, send
> > an email to modsecurity-core-rule-...@owasp.org
> > <javascript:>.

john smith

unread,
Mar 16, 2020, 11:20:22 AM3/16/20
to ModSecurity Core Rule Set project, crop...@gmail.com, paul.bec...@gmail.com, christia...@netnea.com
Hi Christian,

Yes, as i looked more into it i started seeing this problem and that is why i ended my previous response asking for any other ideas for my scenario here.

Is there anything that comes to mind that could impact the response time of apache in a way that a modsec rule can pick up as DOS?
> > <javascript:>.
> > > > To view this discussion on the web visit
> > > >
> > https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/7f2105ad-3dc5-4369-8204-5a5b5257323a%40owasp.org
> > > > <
> > https://groups.google.com/a/owasp.org/d/msgid/modsecurity-core-rule-set-project/7f2105ad-3dc5-4369-8204-5a5b5257323a%40owasp.org?utm_medium=email&utm_source=footer>
> >
> > > > .
> > > >
> > >
> > > --
> > > You received this message because you are subscribed to the Google
> > Groups "ModSecurity Core Rule Set project" group.
> > > To unsubscribe from this group and stop receiving emails from it, send

john smith

unread,
May 23, 2020, 10:00:18 PM5/23/20
to ModSecurity Core Rule Set project, crop...@gmail.com, paul.bec...@gmail.com, christia...@netnea.com
Hi,

Sorry to pop this back up but i couldn't find a way nor did i get a response on my last question.

Is there a way to measure\simulate a DOS scenario with Modsec?

If no one answers this time, i will take that as a no.
Reply all
Reply to author
Forward
0 new messages