Hello guys thank you for this great solution :)
Our system: Windows server 2012 standard x64 with iis Modsecurity 2.9.1 with the latest ruleset SecRuleEngine: DetectionOnly web.config: <ModSecurity enabled="true" configFile="C:\Program Files\ModSecurity IIS\modsecurity_iis.conf" /> Problem: We have a login screen at our nopcommerce webshop - with modecurity enabled and DetectionOnly it isn't possible to login. There is no warning log in the windows eventviewer. The login just redirect back to the login page. If I turn SecRuleEngine Off and recycle the apppool and try again ... tatatata it works :) Login URL is: http://admin.domain.tld/login?ReturnUrl=%2fadmin I think "SecRuleEngine DetectionOnly" shouldn't block - just write an event. Do you have any soultion for me? Thank you Freundliche Grüsse Steffen Höhne System Engineer -------------------------------------------------------------------------------------------------------------- JMC Software AG * Riedstrasse 1 * 6343 Rotkreuz * Switzerland Phone: +41 41 799 02 12 Internet: http://www.jmc-software.ch<http://www.jmc-software.ch/> * Email: s...@jmc-software.ch<mailto:s...@jmc-software.ch> --------------------------------------------------------------------------------------------------------------
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
