There is not an entry listed in the event log for a missing file. I gave "IIS AppPool\DefaultAppPool" full control over the data files as I'm using IIS 7.5. Same result. I also tried adding "Network Service", even through I'm pretty sure that is wrong. Still no love. Bill
From: greg.wroblew...@microsoft.com To: rbarn...@trustwave.com; consu...@hotmail.com CC: owasp-modsecurity-core-rule-set@lists.owasp.org Subject: RE: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 Date: Thu, 9 Aug 2012 23:21:55 +0000 This is really an APR bug (we should report it or create a workaround), but the problem is in the file permissions. Read access to everyone is not enough, proper ACLs must be set as well. When the file does not exist this error gets logged in the event log: Syntax error in config file c:\inetpub\wwwroot\test.conf, line 47: Error creating rule: Could not open phrase file "c:\inetpub\wwwroot\modsecurity_35_scanners.data": The system cannot find the file specified. So you can see when it’s a permission issue or a path issue. Greg From: Ryan Barnett [mailto:rbarn...@trustwave.com] Sent: Thursday, August 9, 2012 2:45 PM To: Bill Roemhild Cc: owasp-modsecurity-core-rule-set@lists.owasp.org; Greg Wroblewski (SPARROW) Subject: Re: [Owasp-modsecurity-core-rule-set] @pmFromFile fails when using IIS along with modsecurity 2.7.0-RC2 You might want to try and specify a full path to the .data file. -- Ryan Barnett Researcher Lead Trustwave - SpiderLabs On Aug 9, 2012, at 5:39 PM, Bill Roemhild <consu...@hotmail.com> wrote: I've been playing around with modsecurity 2.7.0-RC2 for IIS along with the OWASP rules. When running any rule set that calls for a data file through @pmFromFile the application pool crashes. I've given read access to 'Everyone' on the data files being read without success. Anyone else run into this problem? Rule: SecRule REQUEST_HEADERS:User-Agent "@pmFromFile modsecurity_35_scanners.data" \ "phase:2,rev:'2.2.5',t:none,t:lowercase,block,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',tag:'AUTOMATION/SECURITY_SCANNER',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'4',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.automation_score=+%{tx.warning_anomaly_score},setvar:tx.%{rule.id}-AUTOMATION/SECURITY_SCANNER-%{matched_var_name}=%{matched_var}" Crash: w3wp.exe 7.5.7601.17514 4ce7afa2 libapr-1.dll 1.4.5.0 500eaf34 c0000005 00000000000099f8 1e08 01cd7675752af369 c:\windows\system32\inetsrv\w3wp.exe C:\Windows\system32\inetsrv\libapr-1.dll b4147ab9-e268-11e1-82b3-4437e66c2115 _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
