Wednesday Nov 18, 2009

More on Intrusion Detection

I found that experimental Intrusion Detection module as explained in my previous blog doesn't work as expected if an external plugin's AuthTrans SAF is added in obj.conf request processing and if that SAF returns REQ_PROCEED. This may be a rarely happen in customer deployments. Will try to fix it in next update release/ next major release and will let you know when it is fixed.

My id.conf :

SecRuleEngine on 
SecRequestBodyAccess on
SecRule REQUEST_BODY "junk"

case 1: I created a dummy plugin having AuthTrans function myauth1; which just returns REQ_NOACTION it works fine. (look at <ws7-install-dir>/samples/nsapi/ for examples of how to create a plugin)

    #ifdef XP_WIN32
    #define NSAPI_PUBLIC __declspec(dllexport)
    #else /\* !XP_WIN32 \*/
    #define NSAPI_PUBLIC
    #endif /\* !XP_WIN32 \*/

    #include "nsapi.h"

    extern "C"
    NSAPI_PUBLIC int myauth1(pblock \*pb, Session \*sn, Request \*rq)
    {
        return REQ_NOACTION;
    }

Added in Magnus.conf

Init fn="load-modules" shlib="myauth.so" funcs="myauth1"

Error logs in that case show :

    ...
    ... func_exec reports: executing fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1"
    ... func_exec reports: fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1" returned -2 (REQ_NOACTION)

    ... func_exec reports: executing fn="myauth1" Directive="AuthTrans"
    ... func_exec reports: fn="myauth1" Directive="AuthTrans" returned -2 (REQ_NOACTION)

    ... func_exec reports: executing fn="magnus-internal/secrule-filters-insert"
    ... func_exec reports: fn="magnus-internal/secrule-filters-insert" returned -2 (REQ_NOACTION)

    ... func_exec reports: executing fn="ntrans-j2ee" name="j2ee" Directive="NameTrans"
    ...
       

case 2: When I change this AuthTrans SAF to return REQ_PROCEED, it doesn't work as expected:

    #ifdef XP_WIN32
    #define NSAPI_PUBLIC __declspec(dllexport)
    #else /\* !XP_WIN32 \*/
    #define NSAPI_PUBLIC
    #endif /\* !XP_WIN32 \*/
    #include "nsapi.h"

    extern "C"
    NSAPI_PUBLIC int myauth2(pblock \*pb, Session \*sn, Request \*rq)
    {
        return REQ_PROCEED;
    }

Added in Magnus.conf

Init fn="load-modules" shlib="myauth.so" funcs="myauth2"

Error logs in that case shows :

    ... func_exec reports: executing fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1"
    ... func_exec reports: fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true" Directive="AuthTrans" magnus-internal="1" returned -2 (REQ_NOACTION)

    ... func_exec reports: executing fn="myauth2" Directive="AuthTrans"
    ... func_exec reports: fn="myauth2" Directive="AuthTrans" returned 0 (REQ_PROCEED)

    ... func_exec reports: executing fn="ntrans-j2ee" name="j2ee" Directive="NameTrans
    ...
Note fn="magnus-internal/secrule-filters-insert" is not getting executed here.

You can add this secrule-filters-insert SAF above your ExternalPluginAuthTransSAF function:

<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
AuthTrans fn="magnus-internal/secrule-filters-insert"
AuthTrans fn="ExternalPluginAuthTransSAF"
NameTrans fn="ntrans-j2ee" name="j2ee"
...
</Object>
This will work fine when ExternalPluginAuthTransSAF function returns REQ_PROCEED but when it returns REQ_NOATCION, these filters will be added twice.

You can make a dynamic library of myauth2 plugin as shown above and put it below "ExternalPluginAuthTransSAF"
<Object name="default">
AuthTrans fn="match-browser" browser="\*MSIE\*" ssl-unclean-shutdown="true"
AuthTrans fn="magnus-internal/secrule-filters-insert"
AuthTrans fn="ExternalPluginAuthTransSAF"
AuthTrans fn="myauth"
NameTrans fn="ntrans-j2ee" name="j2ee"
...
</Object>

Thursday Mar 05, 2009

Using DTrace in Sun Java System Web Server - part 2

Using DTrace in Sun Java System Web Server - part 2

In my previous blog I was just tracing the flow of request processing, in this blog I have tried to see how much time it takes when <If>/ <Client> tags etc. are evaluated.

Add in obj.conf the following lines to disable accelerator cache

 

AuthTrans fn="log" level="fine" message="Accelerator cache disabled"

Add one "If" condition in obj.conf

<If $uri =~ "/test.html">

Service method="(GET|HEAD|POST)" type="\*~magnus-internal/\*" fn="send-file"

</If>

Check webservd's pid

$ps -eaf | grep webservd | grep highest pid

Run this DTrace script, send a request to GET /test.html HTTP/1.0 via telnet from another window.

Here is the output :

$./ws.d highest-pid
thread 24: Added connection 0x29b3228 to connectionQ
thread 29: Removed connection 0x29b3228 from connectionQ. Time spent in Q 81250 nanoseconds
thread 29: Processing for absolute path /test.html client ip xxx.xxx.xxx.xxx
thread 29: processing objects for uri /test.html
thread 29: object-check called

thread 29: object-check finished. Time spent 8584 nanoseconds
thread 29: Calling saf match-browser
thread 29: saf match-browser returned -2. Time spent is 66916 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 2917 nanoseconds
thread 29: Calling saf ntrans-j2ee
thread 29: saf ntrans-j2ee returned -2. Time spent is 26084 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 2417 nanoseconds
thread 29: Calling saf pfx2dir
thread 29: saf pfx2dir returned -2. Time spent is 21500 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 3500 nanoseconds
thread 29: Calling saf uri-clean
thread 29: saf uri-clean returned 0. Time spent is 21750 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 2500 nanoseconds
thread 29: Calling saf find-pathinfo
thread 29: saf find-pathinfo returned -2. Time spent is 10750 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 2250 nanoseconds
thread 29: Calling saf find-index-j2ee
thread 29: saf find-index-j2ee returned -2. Time spent is 8917 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 2250 nanoseconds
thread 29: Calling saf find-index
thread 29: saf find-index returned -2. Time spent is 9000 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 2750 nanoseconds
thread 29: Calling saf type-j2ee
thread 29: saf type-j2ee returned 0. Time spent is 11584 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 2334 nanoseconds
thread 29: Calling saf type-by-extension
thread 29: saf type-by-extension returned 0. Time spent is 38750 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 2833 nanoseconds
thread 29: Calling saf force-type
thread 29: saf force-type returned 0. Time spent is 10833 nanoseconds
thread 29: cond-eval called
thread 29: expr-eval called
thread 29: expr-compiled-re-eval subject /test.html match 1 pattern /test.html, return value 1
thread 29: expr-eval finished. Time spent 65584 nanoseconds
thread 29: cond-eval finished. Time spent 111500 nanoseconds
thread 29: Calling saf send-file
thread 29: saf send-file returned 0. Time spent is 102583 nanoseconds
thread 29: object-check called
thread 29: object-check finished. Time spent 3166 nanoseconds
thread 29: Calling saf flex-log
thread 29: saf flex-log returned 0. Time spent is 47833 nanoseconds

This shows how much time was spent in each SAF, when connection was put in connection queue and when it was removed and which regular expression in obj.conf was evaluated, how much time was spent, what was the result.

Attached are the cvs diffs and ws.d script

 Summary

These DTrace probes will help us to dynamically find out

  1. Which request processing stages were called for a request,  how much time each request processing stage took for a particular request.
  2. When was a connection put into connection queue (Requests in Web server are accepted by acceptor threads and put in connection queue and picked up by Worker threads) so if the requests sit for a long time in connection queue, then worker threads settings in server.xml configuration file should be increased accordingly.
  3. Which regular expression in obj.conf was evaluated, how much time was spent, what was the result.


About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today