This is a bug for sure, the question is where should we introduce the fix.
My bet would be that wildcard usage across different platforms cannot
assume file loading order, so if we have a bunch of scripts relying on the
order of loading, we should fix the scripts.
On Thu, Aug 29, 2013 at 7:37 AM, <
> Message: 1
> Date: Thu, 29 Aug 2013 06:46:02 +0200
> From: "Ralf Spenneberg (FK)" <funktionskonto@...>
> Subject: [mod-security-users] ModsecurityIIS and Scoring Mode
> To: <mod-security-users@...>
> Message-ID: <3f61415989cea46125e3afa0b556366c@...>
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Using Modsecurity in default deny mode works fine on IIS. But when
> using the anomaly scoring mode I am facing problems.
> I loaded the ruleset using the usual glob activated_rules/*.conf. On
> Unix systems the files are loaded in alphabetical order and everything
> is fine. The sqli and xss rules are loaded before the inbound-blocking
> rules are loaded.
> On Windows 2k8R2 this is apparently not the case. When using the glob
> the rules from the 49-inbound-blocking file are invoked before the sqli
> and xss rules are invoked. Thus the anomaly score is evaluated before it
> is incremented.
> This is reproducible and shown in the debug log.
> When loading the files individually without globbing the anomaly
> scoring works.
> Is this expected behavior?
> Kind regards,