mod-security-users

[mod-security-users] modsecurity iis statuscode always 500

[곽민 <mi...@gm...>]

I was install modsecurity 2.9.2  in windows server 2016 / iis 10

Core rule set version is 2.2.9

When i tested in php page, modsecurity successfully block matched rule
traffic,

but log is always 500(internal server error)(Regardless of pass or block)

I think modsecurity can't get status code because status code in audit log
always '0'
example log : WIN-EU34NTQNDKV 192.168.1.6 - - [11/Sep/2018:12:20:44 +0900]
"GET /dvwa/vulnerabilities/sqli/ HTTP/1.1" 0 0 "-" "-" 17798225733810651262
"-" /20180911/20180911-1220/20180911-122044-17798225733810651262 0 1019
md5:749962ae19cfa1b79a228f97305c2b3c

so i add SecstreamInBodyInspection On and SecRequestBodyAccess On

and also disable dynamic content and static content compression

But status code 500,

How to fix that?

thanks~

Re: [mod-security-users] modsecurity iis statuscode always 500

[Victor H. <vic...@gm...>]

Sorry, this is a known issue with ModSecurity for IIS:
https://github.com/SpiderLabs/ModSecurity/issues/601

I suggest that you follow up your experience on the issue and we'll see if
anyone from the community can help with this one.

Cheers

On Tue, Sep 11, 2018 at 1:56 AM 곽민 <mi...@gm...> wrote:

> I was install modsecurity 2.9.2  in windows server 2016 / iis 10
>
> Core rule set version is 2.2.9
>
> When i tested in php page, modsecurity successfully block matched rule
> traffic,
>
> but log is always 500(internal server error)(Regardless of pass or block)
>
> I think modsecurity can't get status code because status code in audit log
> always '0'
> example log : WIN-EU34NTQNDKV 192.168.1.6 - - [11/Sep/2018:12:20:44 +0900]
> "GET /dvwa/vulnerabilities/sqli/ HTTP/1.1" 0 0 "-" "-" 17798225733810651262
> "-" /20180911/20180911-1220/20180911-122044-17798225733810651262 0 1019
> md5:749962ae19cfa1b79a228f97305c2b3c
>
> so i add SecstreamInBodyInspection On and SecRequestBodyAccess On
>
> and also disable dynamic content and static content compression
>
> But status code 500,
>
> How to fix that?
>
> thanks~
> _______________________________________________
> mod-security-users mailing list
> mod...@li...
> https://lists.sourceforge.net/lists/listinfo/mod-security-users
> Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
> http://www.modsecurity.org/projects/commercial/rules/
> http://www.modsecurity.org/projects/commercial/support/
>


-- 
-
Victor Ribeiro Hora