Atomicorp

Modsecurity newbie here...

I have installed modsecurity on iis 7.5 and got the default modescurity rules (including owasp crs ruleset) working. However they were too restrictive for a couple of Joomla sites. So the Atomicorp paid subscription version of the looked like the perfect solution so I signed up for the 30 day free trial and was looking forward to the subscription and proactive solution this provides...

I removed the default installation rules and crs rules, and installed the atomicorp rules and removed atomicorp ASL-only rules, but it didn't appear to work at all...

Upon checking my site application log, modsecurity reported the following:
Unknown command in config: < LocationMatch

I'm guessing this is an apache directive that doesn't work in IIS? Is there an alternate code for IIS that would work instead of LocationMatch?

Thanks!
Chris

Unknown command in config: < LocationMatch

Yes, thats because IIS doesnt understand LocationMatch. Just comment those out. We'll be putting out an IIS specific ruleset shortly that doesnt include them.

mikeshinn wrote: Yes, that's because IIS doesn't understand LocationMatch. Just comment those out. We'll be putting out an IIS specific ruleset shortly that doesnt include them.

Thanks! is there a workaround? I'm more than a little concerned about potential security vulnerabilities arising from disabling those rules...

I'm more than a little concerned about potential security vulnerabilities arising from disabling those rules...

No need to worry, disabling those will not cause any vulnerabilities, those locationmatch rules are used to disable certain rules for certain applications. So commenting those out will just prevent the disabling of certain rules for certain conditions. (Thats not the only way we do that, just one of many methods we use)

We'll be putting out a separate set of the rules that wont include these directives, but will use other means to accomplish the same thing, which should resolve this issue for IIS. We may release these as a special-IIS only set of rules, but our goal is to not have to do that (and just keep all the rules in one set for apache, nginx and IIS).

Makes sense. Thanks! I'd bet some of those were Joomla specific exceptions, so I'm going to have to check and see if any of those sites are broken or partly broken...not a biggie

So...I commented all those out but seeing this a lot in the windows application log:
1) ModSecurity: ipMatch Internal Error: Invalid ip address.
2) ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first.

For the second error, I've tried setting Mod Security's data directory to various places and added all kinds of users to the folder (ie IUSR, IIS_IUSR, etc)...

For the first error - is this an IIS issue, or what is causing that?

Using ModSec 2.7.4 for iis...

Makes sense. Thanks! I'd bet some of those were Joomla specific exceptions, so I'm going to have to check and see if any of those sites are broken or partly broken...not a biggie

We've been phasing out LocationMatch for several years, so its unlikely any of those would effect a modern application like Joomla. Most of the tuning these days using rule syntax.

1) ModSecurity: ipMatch Internal Error: Invalid ip address.

So assuming you only have our rules loaded, that would means either you are missing the /etc/asl/whitelist file, or your windows system doesnt support IPv6. The only uses of that directive are for the /etc/asl/whitelist file, so if you have enabled the 00_asl_whitelist.conf file you may need to modify that to fit a path that works for windows.

Outside of that, its only used to detect localhost for a few other rules and the pattern match is always 127.0.0.1,::1

Does your system support IPv6?

2) ModSecurity: collection_retrieve_ex: Unable to retrieve collection (name "global", key "global"). Use SecDataDir to define data directory first.

So that means you've got some third party rules installed, we do not use that. But you need to define SecDataDir anyway so modsecurity can write its audit_logs. But nevertheless, that error means you're using some rules other than ours, we do not use collections. So you can only get that if you are using rules that do. So you'll either need to remove those rules, or you'll need to ask the authors of those rules for help with their rules.

Any idea when the IIS-specific version will be released? I am interested in buying a subscription to that ruleset.

IIS compatible rules are now available for testing. LocationMatch is gone, and a full rewrite has been done to make them platform agnostic. Please contact us if you would like to be part of the beta.