According to http://forums.iis.net/t/1192523.aspx ModSecurity isn't supported here, but that post is from before the release. So some insights and support would be nice.
I'm unable to get SecRequestBodyAccess to function (which is IMO one of the main points of ModSecurity; inspect the request POST body). Enabling this setting will just time out my HTTP requests. I'm testing with Joomla 2.5.9 and a vulnerable-by-design PHP script. PHP is set up in IIS with FastCGI and is running fine. Other global native modules in the request queue, like Helicon Ape are disabled.
When I enable SecRequestBodyAccess (On), het page continues loading until a FastCGI request time-out appears (90 seconds - "The FastCGI process exceeded configured request timeout" - error code 0x80070102).
appcmd list requests
REQUEST "da00000080000056" (url:POST /joomla25/administrator/index.php?option=com_config, time:38437 msec, client:X.X.X.X, stage:ExecuteRequestHandler, module:FastCgiModule)
I did a manual installation, have everthing set up in c:\test\modsecurity
Note: after installation, I removed the ModSecurityIIS module globally and added it to my website through web.config. Switching that and re-enabling the global native module makes no difference.
- my website has configured through web.config: <ModSecurity enabled="true" configFile="c:\test\modsecurity\modsecurity_iis.conf" />
- the content of c:\test\modsecurity\modsecurity_iis.conf is: Include owasp_crs\modsecurity.conf
- c:\test\modsecurity\owasp_crs\modsecurity.conf is the default file as it comes with the package.
As you see, all other owasp_crs\*.conf files are disabled.
The eventlog doesn't give me much information, except Information messages (all Error messages about files that can't be located or opend are fixed). ModSecurity doesn't log any obvious errors (after setting SecDebugLog c:\test\modsecurity\debug.log, SecDebugLogLevel 9)
What am I missing, what is wrong?