Greg,

 

Did the same tests with the new 2.7.1 but no progress.

 

In the event log I only have:

 

The Module DLL 'C:\Windows\system32\inetsrv\modsecurityiis.dll' could not be loaded due to a configuration problem. The current configuration only supports loading images built for a x86 processor architecture. The data field contains the error number.

 

I have modsecurity enabled in the web.config  (without, the error is also present – when I add <remove name="ModSecurityIIS" /> no error)
The webconfig is set to: <ModSecurity enabled="true" configFile="c:\websites\wesbitename\modsecurity.conf" />

 

The conf file is at the same level as the web.config.

As the error points to a ‘configuration problem’ I fear my conf is wrong. I worked through the wiki and google but cannot find any pointers to how this conf should be configured for windows and where the actual activated_rules should be.

 

modsecurity.conf (comments removed):

**********************************************

SecComponentSignature "OWASP_CRS/2.2.6"

SecDefaultAction "phase:1,deny,nolog,auditlog"

SecAction \

  "id:'900001', \

  phase:1, \

  t:none, \

  setvar:tx.critical_anomaly_score=5, \

  setvar:tx.error_anomaly_score=4, \

  setvar:tx.warning_anomaly_score=3, \

  setvar:tx.notice_anomaly_score=2, \

  nolog, \

  pass"

SecAction \

  "id:'900002', \

  phase:1, \

  t:none, \

  setvar:tx.inbound_anomaly_score_level=5, \

  nolog, \

  pass"

SecAction \

  "id:'900003', \

  phase:1, \

  t:none, \

  setvar:tx.outbound_anomaly_score_level=4, \

  nolog, \

  pass"

#SecAction \

  "id:'900004', \

  phase:1, \

  t:none, \

  setvar:tx.anomaly_score_blocking=on, \

  nolog, \

  pass"

#SecGeoLookupDb /opt/modsecurity/lib/GeoLiteCity.dat

#SecRule REMOTE_ADDR "@ipMatch 192.168.1.100" \

  "id:'900005', \

  phase:1, \

  t:none, \

  ctl:ruleEngine=DetectionOnly, \

  setvar:tx.regression_testing=1, \

  nolog, \

  pass"

SecAction \

  "id:'900006', \

  phase:1, \

  t:none, \

  setvar:tx.max_num_args=255, \

  nolog, \

  pass"

#SecAction \

  "id:'900007', \

  phase:1, \

  t:none, \

  setvar:tx.arg_name_length=100, \

  nolog, \

  pass"

#SecAction \

  "id:'900008', \

  phase:1, \

  t:none, \

  setvar:tx.arg_length=400, \

  nolog, \

  pass"

#SecAction \

  "id:'900009', \

  phase:1, \

  t:none, \

  setvar:tx.total_arg_length=64000, \

  nolog, \

  pass"

#SecAction \

  "id:'900010', \

  phase:1, \

  t:none, \

  setvar:tx.max_file_size=1048576, \

  nolog, \

  pass"

#SecAction \

  "id:'900011', \

  phase:1, \

  t:none, \

  setvar:tx.combined_file_sizes=1048576, \

  nolog, \

  pass"

SecAction \

  "id:'900012', \

  phase:1, \

  t:none, \

  setvar:'tx.allowed_methods=GET HEAD POST OPTIONS', \

  setvar:'tx.allowed_request_content_type=application/x-www-form-urlencoded|multipart/form-data|text/xml|application/xml|application/x-amf|application/json', \

  setvar:'tx.allowed_http_versions=HTTP/0.9 HTTP/1.0 HTTP/1.1', \

  setvar:'tx.restricted_extensions=.asa/ .asax/ .ascx/ .axd/ .backup/ .bak/ .bat/ .cdx/ .cer/ .cfg/ .cmd/ .com/ .config/ .conf/ .cs/ .csproj/ .csr/ .dat/ .db/ .dbf/ .dll/ .dos/ .htr/ .htw/ .ida/ .idc/ .idq/ .inc/ .ini/ .key/ .licx/ .lnk/ .log/ .mdb/ .old/ .pass/ .pdb/ .pol/ .printer/ .pwd/ .resources/ .resx/ .sql/ .sys/ .vb/ .vbs/ .vbproj/ .vsdisco/ .webinfo/ .xsd/ .xsx/', \

  setvar:'tx.restricted_headers=/Proxy-Connection/ /Lock-Token/ /Content-Range/ /Translate/ /via/ /if/', \

  nolog, \

  pass"

#SecAction \

  "id:'900013', \

  phase:1, \

  t:none, \

  setvar:tx.csp_report_only=1, \

  setvar:tx.csp_report_uri=/csp_violation_report, \

  setenv:'csp_policy=allow \'self\'; img-src *.yoursite.com; media-src *.yoursite.com; style-src *.yoursite.com; frame-ancestors *.yoursite.com; script-src *.yoursite.com; report-uri %{tx.csp_report_uri}', \

  nolog, \

  pass"

#SecAction \

  "id:'900014', \

  phase:1, \

  t:none, \

  setvar:'tx.brute_force_protected_urls=/login.jsp /partner_login.php', \

  setvar:'tx.brute_force_burst_time_slice=60', \

  setvar:'tx.brute_force_counter_threshold=10', \

  setvar:'tx.brute_force_block_timeout=300', \

  nolog, \

  pass"

#SecAction \

  "id:'900015', \

  phase:1, \

  t:none, \

  setvar:'tx.dos_burst_time_slice=60', \

  setvar:'tx.dos_counter_threshold=100', \

  setvar:'tx.dos_block_timeout=600', \

  nolog, \

  pass"

SecAction \

  "id:'900016', \

  phase:1, \

  t:none, \

  setvar:tx.crs_validate_utf8_encoding=1, \

  nolog, \

  pass"

SecRule REQUEST_HEADERS:Content-Type "text/xml" \

  "id:'900017', \

  phase:1, \

  t:none,t:lowercase, \

  nolog, \

  pass, \

  chain"

                SecRule REQBODY_PROCESSOR "!@streq XML" \

                  "ctl:requestBodyProcessor=XML"

SecRule REQUEST_HEADERS:User-Agent "^(.*)$" \

  "id:'900018', \

  phase:1, \

  t:none,t:sha1,t:hexEncode, \

  setvar:tx.ua_hash=%{matched_var}, \

  nolog, \

  pass"

SecRule REQUEST_HEADERS:x-forwarded-for "^\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b" \

  "id:'900019', \

  phase:1, \

  t:none, \

  capture, \

  setvar:tx.real_ip=%{tx.1}, \

  nolog, \

  pass"

SecRule &TX:REAL_IP "!@eq 0" \

  "id:'900020', \

  phase:1, \

  t:none, \

  initcol:global=global, \

  initcol:ip=%{tx.real_ip}_%{tx.ua_hash}, \

  nolog, \

  pass"

SecRule &TX:REAL_IP "@eq 0" \

  "id:'900021', \

  phase:1, \

  t:none, \

  initcol:global=global, \

  initcol:ip=%{remote_addr}_%{tx.ua_hash}, \

  nolog, \

  pass"

**************************************************

Reagards,

JamBo