You might want to try and specify a full path to the .data file. -- Ryan Barnett Researcher Lead Trustwave - SpiderLabs
On Aug 9, 2012, at 5:39 PM, Bill Roemhild <consu...@hotmail.com<mailto:consu...@hotmail.com>> wrote: I've been playing around with modsecurity 2.7.0-RC2 for IIS along with the OWASP rules. When running any rule set that calls for a data file through @pmFromFile the application pool crashes. I've given read access to 'Everyone' on the data files being read without success. Anyone else run into this problem? Rule: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \ "phase:2,rev:'2.2.5',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" Crash: w3wp.exe 7.5.7601.17514 4ce7afa2 libapr-1.dll 1.4.5.0 500eaf34 c0000005 00000000000099f8 1e08 01cd7675752af369 c:\windows\system32\inetsrv\w3wp.exe C:\Windows\system32\inetsrv\libapr-1.dll b4147ab9-e268-11e1-82b3-4437e66c2115 _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:Owasp-modsecurity-core-rule-set@lists.owasp.org> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
