|
From: Felipe C. <FC...@tr...> - 2014-10-13 13:43:11
|
Hi Brian, In fact, I don't see a problem to have the overrideModeDefault Allow, can you open a bug on our issues tracking so we can keep track of it and involves other IIS users? - https://github.com/SpiderLabs/ModSecurity/issues Regarding the enabled="false", by looking at the code it seems that ModSecurity is checking for it, As you can see here: While ModSecurity is initialized: - https://github.com/SpiderLabs/ModSecurity/blob/master/iis/moduleconfig.cpp# L67-L77 While a new incoming request arrives: - https://github.com/SpiderLabs/ModSecurity/blob/master/iis/mymodule.cpp#L738 -L741 When you mentioned that DebugLogs are still filled you meant partially content? or the logs looks exactly the same as it is when ModSecurity is enabled? Br., Felipe "Zimmerle" Costa Security Researcher, SpiderLabs Trustwave | SMART SECURITY ON DEMAND www.trustwave.com <http://www.trustwave.com/> On 10/10/14 6:05 PM, "Brian Clark" <bc...@re...> wrote: >I have a few more bits of information here but still have not solved the >problem of ModSecurity operating while “enabled=false” is in effect. > >1) The ModSecurity msi installer adds a line to the applicationHost.config >file that looks like this: > <section name="ModSecurity" overrideModeDefault=“Deny" >allowDefinition="Everywhere" /></sectionGroup> > >And this: > <ModSecurity enabled=“true" configFile="D:\Program Files\ModSecurity >IIS\modsecurity_iis.conf" /> > >The effect of these two lines is that ModSecurity is enabled server-wide >and no individual web application has the ability to disable it. I >consider this a bug. At the very least, the default setting for >overrideMOdeDefault should be “Allow” to allow individual web applications >the ability to turn on/off ModSecurity. Also, I question whether having >ModSecurity enabled by default on all websites is the right default >configuration choice for the installer. > > >2) Even with changing the two applicationHost.config lines to “Allow” and >“false”, respectively, and with adding a ModSecurity enabled=“false” line >to the web applications web.config file, ModSecurity continues to log >traffic to its debug log, with the engine in detect-only mode. > >I am not sure why it would do this. I consider this a bug as well. > >Anyone have any suggestions? Are others having similar issues? > >Brian Clark | VP, IT Operations > > > >On 10/10/14, 10:40 AM, "Brian Clark" <bc...@re...> wrote: > >>Hello, >> >>I am trying to get modsecurity 2.8.0 working in IIS on Windows 2012. In >>experimenting with it, I have found that even with the enabled=false flag >>set, mod security is still active‹I see it logging information to its >>debug.log at log level 3. >> >>Here is my ModSecurity directive in my web.config: >> <ModSecurity enabled="false" configFile="D:\Program Files\ModSecurity >>IIS\modsecurity_iis.conf" /> >>I have this item placed as the very last line in the system.webServer >>block, right before </system.webServer> >> >>Obviously, it isn¹t supposed to work this way. Is anyone else having the >>same problem? Any suggestions on how to make it work properly? >> >>Thanks, >> >>Brian Clark | VP, IT Operations >> > >-------------------------------------------------------------------------- >---- >Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer >Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports >Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper >Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer >http://scanmail.trustwave.com/?c=4062&d=qdO41DLQl7_Y5nEVBhyUa9FiW7L9hDn6DR >825SlfBw&s=5&u=http%3a%2f%2fp%2esf%2enet%2fsfu%2fZoho >_______________________________________________ >mod-security-users mailing list >mod...@li... >http://scanmail.trustwave.com/?c=4062&d=qdO41DLQl7_Y5nEVBhyUa9FiW7L9hDn6DU >pntX8KCA&s=5&u=https%3a%2f%2flists%2esourceforge%2enet%2flists%2flistinfo% >2fmod-security-users >Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: >http://scanmail.trustwave.com/?c=4062&d=qdO41DLQl7_Y5nEVBhyUa9FiW7L9hDn6DR >g14SZeDA&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia >l%2frules%2f >http://scanmail.trustwave.com/?c=4062&d=qdO41DLQl7_Y5nEVBhyUa9FiW7L9hDn6DR >kxsyoKWQ&s=5&u=http%3a%2f%2fwww%2emodsecurity%2eorg%2fprojects%2fcommercia >l%2fsupport%2f ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. |
