zit-hb
commented
3 years ago Luckily not every request is saved under normal circumstances. If the mode of a profile is set to "passive" or "active" only requests that are considered a threat are stored. Even there is a limitation: you can set the maximum amount of requests that should be stored in a given time with the help of the flooding protection. The purpose is to avoid that a single client can flood the database with data.
If the mode is set to "learning" every request is logged, so this should not be done for web applications that receive a lot of traffic. The name is currently not the most fitting: the system is not learning anything while this mode is active, it just collects data that can be used to generate rules. In the future this should optimally be improved to not store the requests but do the learning part directly on every request. I currently have no plans to implement this though.
I'm wondering about shadowd performance, because it stores every single request to database and MySQL or PostgreSQL is not scalable in write too, which means shadowd can not work with high traffic web app and requires a lot of resources?