Found the solution: https://github.com/SpiderLabs/ModSecurity/issues/538
add to modsecurity.conf # Configures the ability to use stream inspection for inbound request data in a re-allocable buffer. # For security reasons we are still buffering the stream. SecStreamInBodyInspection On That solve the problem for me. Thank you Freundliche Grüsse Steffen Höhne System Engineer -------------------------------------------------------------------------------------------------------------- JMC Software AG * Riedstrasse 1 * 6343 Rotkreuz * Switzerland Phone: +41 41 799 02 12 Internet: http://www.jmc-software.ch<http://www.jmc-software.ch/> * Email: s...@jmc-software.ch<mailto:s...@jmc-software.ch> -------------------------------------------------------------------------------------------------------------- From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Steffen Höhne Sent: Donnerstag, 25. August 2016 08:41 To: 'owasp-modsecurity-core-rule-set@lists.owasp.org' <owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] Windows IIS ModSecurity 2.9.1 SecRuleEngine DetectionOnly Guys Something new with that problem. If I turn SecRequestBodyAccess off - it works without a problem. SecRuleEngine DetectionOnly and SecRequestBodyAccess On doesn't work. May that help you - but that's not a solution :-/ Thanks Freundliche Grüsse Steffen Höhne System Engineer -------------------------------------------------------------------------------------------------------------- JMC Software AG * Riedstrasse 1 * 6343 Rotkreuz * Switzerland Phone: +41 41 799 02 12 Internet: http://www.jmc-software.ch<http://www.jmc-software.ch/> * Email: s...@jmc-software.ch<mailto:s...@jmc-software.ch> -------------------------------------------------------------------------------------------------------------- From: Chaim Sanders [mailto:csand...@trustwave.com] Sent: Mittwoch, 24. August 2016 17:34 To: Steffen Höhne <steffen.hoe...@jmc-software.ch<mailto:steffen.hoe...@jmc-software.ch>>; 'owasp-modsecurity-core-rule-set@lists.owasp.org' <owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org>> Subject: RE: [Owasp-modsecurity-core-rule-set] Windows IIS ModSecurity 2.9.1 SecRuleEngine DetectionOnly This is very suspicious activity - I will boot up a test machine and verify it if I can - what version of IIS are you using? Are you using CRS? Chaim Sanders Security Researcher, SpiderLabs Trustwave| SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> From: owasp-modsecurity-core-rule-set-boun...@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org> [mailto:owasp-modsecurity-core-rule-set-boun...@lists.owasp.org] On Behalf Of Steffen Höhne Sent: Wednesday, August 24, 2016 11:00 AM To: 'owasp-modsecurity-core-rule-set@lists.owasp.org' Subject: [Owasp-modsecurity-core-rule-set] Windows IIS ModSecurity 2.9.1 SecRuleEngine DetectionOnly Hello guys thank you for this great solution :) Our system: Windows server 2012 standard x64 with iis Modsecurity 2.9.1 with the latest ruleset SecRuleEngine: DetectionOnly web.config: <ModSecurity enabled="true" configFile="C:\Program Files\ModSecurity IIS\modsecurity_iis.conf" /> Problem: We have a login screen at our nopcommerce webshop - with modecurity enabled and DetectionOnly it isn't possible to login. There is no warning log in the windows eventviewer. The login just redirect back to the login page. If I turn SecRuleEngine Off and recycle the apppool and try again ... tatatata it works :) Login URL is: http://admin.domain.tld/login?ReturnUrl=%2fadmin I think "SecRuleEngine DetectionOnly" shouldn't block - just write an event. Do you have any soultion for me? Thank you Freundliche Grüsse Steffen Höhne System Engineer -------------------------------------------------------------------------------------------------------------- JMC Software AG * Riedstrasse 1 * 6343 Rotkreuz * Switzerland Phone: +41 41 799 02 12 Internet: http://www.jmc-software.ch<http://scanmail.trustwave.com/?c=4062&d=87291xk-bECw0KTtqHdUQmJvRvkcBlUrb9ddFEQ1VA&s=5&u=http%3a%2f%2fwww%2ejmc-software%2ech%2f> * Email: s...@jmc-software.ch<mailto:s...@jmc-software.ch> -------------------------------------------------------------------------------------------------------------- ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
