How do I include a rule set with ModSecurity on IIS?

Question

I'm using ModSecurity 2.7.1 on IIS 7.5 / Windows 2008 R2. I've reference my base set up conf file in my Web.Staging.config of a site like so:

<ModSecurity enabled="true" configFile="*******\ModSecurity.conf" xdt:Transform="Insert"/>

How do I include another rule set, e.g. the OWASP rule set?

Yes I did that as a temporary solution, but the documentation recommends not to do this (in case of future updates), so I wanted to know how to do this the right way. — autonomatt, Dec 11 '12 at 13:31

score 2 · Accepted Answer · edited Apr 13 '17 at 12:14

I've just been playing with Modsecurity 2.7.1 in IIS and i achieved this by using Include "c:/yourpath/modsecurity_crs_10_setup.conf" in your base conf file and also using an Include to pull in the base_rules inside the modsecurity_crs_10_setup.conf file.

Just a warning though, iv'e found the ModSecurity/IIS to be very flaky, especially using the OWASP rule set. It has killed my AppPool a number of times.

Also, I have had the same issue as you where SecRequestBodyAccess prevents ASP.NET from receiving the POST data. I am not using MVC though so i suspect it's not related specifically to MVC.

How do I include a rule set with ModSecurity on IIS?

1 Answers1