ModSecurity 2.9.2 on Windows 2012 and IIS 8.5

[Hystreal]

Hi !

I installed ModSecurity on my Windows Server 2012.
I added this line in the modsecurity.conf :
SecRule ARGS "@contains test" "id:'1234',deny,status:403,msg:'Our test rule has triggered'"

When i go on http://localhost/?a=test i get the 403 error as planned.

However, i configured my application by adding this line in my web.config :

ModSecurity enabled="true" configFile="C:\Program Files\ModSecurity IIS\modsecurity_iis.conf"

And when i try to go on http://localhost/myapp?a=test
there is no error whereas i should get the same 403 error.

Someone can tell me what am i doing wrong ?

Thanks you in advance.

[victorhora]

Based on the information you've provided my guess is that ModSecurity is not configured globally (for all sites) within IIS. Make sure it is either configured globally or it's explicitly enabled for your site (myapp).

The resources below might help you:

• https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_Microsoft_IIS
• https://github.com/SpiderLabs/ModSecurity/wiki/IIS-Troubleshooting

[Hystreal]

I followed your link and i think i have correctly installed ModSecurity.... i just did the following step :

• run the ModSecurityIIS_2.9.2-64b.msi provided by the website (https://www.modsecurity.org) with the default options
• add this line in my web.config :
  ModSecurity enabled="true" configFile="C:\Program Files\ModSecurity IIS\modsecurity_iis.conf"

The tests described on my previous post show that Modsecurity is at least configured on my localhost but probably not on my applications, right ?

I don't see what can i do more.... Do you have any idea ?

[victorhora]

Hi @Hystreal

I can't reproduce this issue on 2.9.2.

Also, when trying to add to custom sites in IIS, this is the supported syntax:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <ModSecurity enabled="true" configFile="c:\inetpub\wwwroot\xss.conf" />
    </system.webServer>
</configuration>
```

If the issue persists, let us know and provide as much detail as possible so we can investigate further. Thanks.

[victorhora]

Oh, now I understand why I couldn't reproduce this. This issue was fixed on the current codebase (see #1787).

See also issue #787.