Modsecurity is not preventing the URL as per defined ruleset in modsecurity.conf Over IIS #2070
Description
The issue is regarding for implementation of ModSecurity (Version 2.8/2.9) over IIS 7.5 in Window server 2008 R2. I have followed below mentioned 2 link and have tried to implemented it one of our test server using below 2 link:
https://jesscoburn.com/archives/2013/05/14/installing-modsecurity-on-iis7-x/
Post installation of all steps and configuration in application web.config file, to ensure whether ModSecurity is working or not, I have taken the reference of above link and created a test rule:
SecRule ARGS, "zzz" phase:1,log,deny,status:503,id:1 in the modsecurity.conf file and set SecRuleEngine On
Then I have browsed application: http://localhost/Sitename/default.aspx?a=zzz. An error (503) should be expected but I am not getting any 503 error.
Setting in config:
<system.webServer> <ModSecurity enabled="true" configFile="C:\Program Files\ModSecurity IIS\modsecurity_iis.conf" /> </system.webServer>
We can see below logs in Event Viewer in given order. Below information are being logged in Event viewer in first hit of application.
ModSccurity | 28-03-2019 12:57:00 | The description for Event ID 0 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: ModSecurity for IIS (STABLE)/2.8.0 (http://www.modsecurity.org/) configured.
ModSccurity | 28-03-2019 12:57:00 | The description for Event ID 0 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8"
ModSccurity | 28-03-2019 12:57:00 | The description for Event ID 0 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: ModSecurity: PCRE compiled version="8.33 "; loaded version="8.33 2013-05-28"
ModSccurity | 28-03-2019 12:57:00 | The description for Event ID 0 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: ModSecurity: LUA compiled version="Lua 5.1"
ModSccurity | 28-03-2019 12:57:00 | The description for Event ID 0 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer. If the event originated on another computer, the display information had to be saved with the event. The following information was included with the event: ModSecurity: LIBXML compiled version="2.9.1"
Please help me to sort out this issue as i have already invested 3 days but unable to fix this.
Thank you in advance!!