Topic: Memory leak with ModSecurity

[rjrosamond]

Win 2003 x86
Apache 2.2.23
PHP 5.2.17
ModSecurity 2.7.4 (with mlogc disabled)

We've been troubleshooting an ongoing issue of what seems to be a memory leak with ModSecurity. With two identically-configured web servers in a network load balancer, we disabled ModSecurity on one of them for troubleshooting purposes and noticed the amount of memory used by the the httpd.exe process remains constant, while the second server with ModSecurity enabled has the httpd.exe process' memory continuously growing and growing (this is easily seen using SysInternals Process Explorer). Eventually what happens is Apache hangs for a couple minutes then recovers itself, but continues to hang and recover until the Apache service is restarted.

In the meantime until we can find an actual solution, we've implemented a Scheduled Task to do a graceful restart of the httpd.exe process with a reasonable amount of memory which effectively spawns a new process and kills off the old one that was growing. We're running this scheduled task hourly to maintain stability, but this is not a real solution to the underlying problem, clearly.

Has anyone seen this behavior before, and if so do you have any pointers?

[admin]

Not seen.

Where did you downloaded modsecurity and apache ?

[rjrosamond]

We use the builds from Apache Lounge via this page: http://www.apachelounge.com/download/win32/

[admin]

When you disable on the other ?

Can be a lots of things.

First 2.4 has a more optimized memory management. Apache 2.2 is legacy and it is advised to upgrade to 2.4.

For modsecurity, cause can be a rule(s), the log options, pcre, lua, libxml2. Worth to try with a minimum set of rules.

You can also post your experience on the mod_security list, they always want to help, www.modsecurity.org/contact/


ps.
Well known is that php as module consumes memory over time. Therefore advised to run as fastcgi.