I've installed the ModSecurity IIS module on a Windows Server 2012 VM. I have a simple test application running on its own app pool.
default.aspx — Just a simple page that spits out the date/time.
web.config
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<ModSecurity enabled="true" configFile="C:\inetpub\wwwroot\modsecurity.conf" />
</system.webServer>
</configuration>
modsecurity.conf
SecRuleEngine On
SecRule ARGS:testparam "test" "id:1234,deny,status:403,msg:'Our test rule has triggered'"
When I browse to the site (e.g. http://localhost?testparam=test), I am presented with my test page instead of a 403. There is nothing logged in the Event Viewer.
Best Answer
It seems likely that you are a victim of this issue: https://github.com/SpiderLabs/ModSecurity/issues/787
Broco's answer is close, but it doesn't call attention to the most important part:
overrideModeDefault="Allow"
. If you check your C:\Windows\System32\inetsrv\Config\applicationHost.config file, you will probably seeThis needs to be changed to "Allow" or else adding
<ModSecurity ...>
to your website's config file will essentially just disable ModSecurity.