Windows – ModSecurity not working on IIS

I've installed the ModSecurity IIS module on a Windows Server 2012 VM. I have a simple test application running on its own app pool.

default.aspx — Just a simple page that spits out the date/time.

web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <ModSecurity enabled="true" configFile="C:\inetpub\wwwroot\modsecurity.conf" />
    </system.webServer>
</configuration>

modsecurity.conf

SecRuleEngine On
SecRule ARGS:testparam "test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"

When I browse to the site (e.g. http://localhost?testparam=test), I am presented with my test page instead of a 403. There is nothing logged in the Event Viewer.

Best Answer

It seems likely that you are a victim of this issue: https://github.com/SpiderLabs/ModSecurity/issues/787

Broco's answer is close, but it doesn't call attention to the most important part: overrideModeDefault="Allow". If you check your C:\Windows\System32\inetsrv\Config\applicationHost.config file, you will probably see

<section name="ModSecurity" overrideModeDefault="Deny" allowDefinition="Everywhere" /></sectionGroup>

This needs to be changed to "Allow" or else adding <ModSecurity ...> to your website's config file will essentially just disable ModSecurity.

Best Answer

Related Solutions

ModSecurity not enabled

Mod_security not actually blocking requests despite rule trigger & returning 403

Related Topic