I'm using ModSecurity 2.7.1 on IIS 7.5 / Windows 2008 R2.
I've reference my base set up conf file in my Web.Staging.config of a site like so:
<ModSecurity enabled="true" configFile="*******\ModSecurity.conf" xdt:Transform="Insert"/>
How do I include another rule set, e.g. the OWASP rule set?
Best Answer
I've just been playing with Modsecurity 2.7.1 in IIS and i achieved this by using Include "c:/yourpath/modsecurity_crs_10_setup.conf" in your base conf file and also using an Include to pull in the base_rules inside the modsecurity_crs_10_setup.conf file.
Just a warning though, iv'e found the ModSecurity/IIS to be very flaky, especially using the OWASP rule set. It has killed my AppPool a number of times.
Also, I have had the same issue as you where SecRequestBodyAccess prevents ASP.NET from receiving the POST data. I am not using MVC though so i suspect it's not related specifically to MVC.