Mark, Latency is an issue and the amount depends on the server. Factor 5 is a bit steep, but still possible.
My mileage is usually a 5-10% hit on the throughput of a reverse proxy. If your server serves only static files and no backend connection, then your numbers could be real. I would want to look at the individual requests, though. Is 40 ms the mean? Is it some requests or all of them? If some, which ones? The tutorials at https://www.netnea.com come with an extended Apache Access Log format that lets you gauge the performance impact a bit better. Once you have the data, you can dig down and identify the individual requests / rules that cause the delay. Raising the debug-log-level on individual requests let you identify the individual rule of an individual request with a high performance impact quite easily. And then tune them away. Also, CRS3 comes with a feature called Sampling Mode that allows you to run the rules only on a percentage of the requests. This allows you to test / tune with real world data without bringing the whole service down. This is specifically aimed at services where the performance impact is unclear and a potential risk. Performance issues are generally solvable with a compromise between performance and security. And ModSec gives you a ton of performance information so it is generally possible to nail down the problem. Hope this helps for a start. If you need more infos, then just ask. Good luck! Christian On Mon, Dec 18, 2017 at 01:24:48PM +0000, Mark Blackman wrote: > Hi, > > In an initial set of performance tests with mod_security 2.9.2 and the core > rule set under Apache 2.2.34, we are seeing the latency for individual > requests rise from 8 milliseconds to 40 milliseconds which seems like too > much. Is this kind of latency impact to be expected? What options do we > have for reducing it without throwing away mod_security? > > - Mark _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set -- https://www.feistyduck.com/training/modsecurity-training-course https://www.feistyduck.com/books/modsecurity-handbook/ mailto:christian.fol...@netnea.com twitter: @ChrFolini _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set