1

I am having a little bit of trouble with a recurring "Failed deleting collection" error message from ModSecurity (see this discussion @ GitHub for some context). In the discussion of this error it is often suggested that the SecCollectionTimeout directive might have some impact. Reading the documentation I only learn about this directive:

Specifies the collections timeout. Default is 3600 seconds.

However, I do not fully understand what a "collections timeout" is. Can someone please explain to me what this setting does?

Many thanks in advance.

MRA
  • 297
  • 1
  • 2
  • 8

1 Answers1

2

If a collection record is not updated in that time then it's marked for deletion and garbage collected at some point.

Depending how a rule is written it's possible for ModSecurity to continually update a collection record before that timeout passes so it never flagged for expiry.

You can add a new rule to expire really old records. Ivan Ristic discusses this in his Mod Security handbook in Chapter 8 and gives a couple of example rules to detect really old records including this one from Brian Rectanus (note I'd has since become mandatory so would need to be added if you wanted to use this rule in real life):

# Detect very old IP records
SecAction "phase:5,log,pass,chain,\
msg:'IP record older than 24 hours',\
setvar:tx.exp=%{TIME_EPOCH},\    
setvar:tx.exp=-%{IP.CREATE_TIME}"
    SecRule TX:exp "@gt 86400"

This example could be updated to automatically delete the old record without logging by changing to the following:

# Delete very old IP records
SecAction "id:12345,phase:5,nolog,pass,chain,\
setvar:tx.exp=%{TIME_EPOCH},\    
setvar:tx.exp=-%{IP.CREATE_TIME}"
    SecRule TX:exp "@gt 86400" "setvar:!IP.KEY"

Then again your link might be genuinely be a bug in ModSecurity that expired items are not being cleared down in which case above might not help...

Barry Pollard
  • 4,461
  • 14
  • 26