Using Modsecurity in default deny mode works fine on IIS. But when
using the anomaly scoring mode I am facing problems.
I loaded the ruleset using the usual glob activated_rules/*.conf. On
Unix systems the files are loaded in alphabetical order and everything
is fine. The sqli and xss rules are loaded before the inbound-blocking
rules are loaded.
On Windows 2k8R2 this is apparently not the case. When using the glob
the rules from the 49-inbound-blocking file are invoked before the sqli
and xss rules are invoked. Thus the anomaly score is evaluated before it
This is reproducible and shown in the debug log.
When loading the files individually without globbing the anomaly
Is this expected behavior?