I hope someone can help me out here. The ModSecurity forum is not very active, and I'm hoping someone here can provide me with some direction. I install the prerequisites and then installed ModSecurity via an msi. I even reattempted the installation in verbose mode to see if I was missing something, but in all cases, things seem to go OK. I'm able to put "SecRule ARGS "zzz" phase:1,log,deny,status:503,id:1" into the modsecurity.conf file, and when I attempt to pull up the web page using http://localhost/?a=zzz, I do get a 503 error message. It's at least partially working.
I'm not able to log into the web site, though. There is some fairly expensive off the shelf software that uses IIS, and I'm not able to get logged in. There are 4 log entries when I log in, but one of the following is repeated twice. The problem appears to be that the directories c:\inetpub\temp\global and \ip do not exist, so it's not a simple permissions problem. I've tried to manually create these directories, but this doesn't help. Can anyone please give me some direction? Thanks
<div class="markdown_content">====== #1 ======
The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
[client 192.168.102.1:47251] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "ARCH-SRV"] [uri "/ao2016/globalajaxengine/aoajax.ashx?ids=*&flts=0&SnName=user_ajax&refreshParam=30.138179430896656¶m1=4.382920643111279"][unique_id"17870283327848579102"]
====== /#1 ======
====== #2 ======
The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
[client 192.168.102.1:47251] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/global": Access is denied. [hostname "ARCH-SRV"] [uri "/ao2016/default.aspx"][unique_id "17870283327848579103"]
====== /#2 ======
====== #3 ======
The description for Event ID 1 from source ModSecurity cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.
If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event:
[client 192.168.102.1:47251] ModSecurity: collections_remove_stale: Failed to access DBM file "C:/inetpub/temp/ip": Access is denied. [hostname "ARCH-SRV"] [uri "/ao2016/default.aspx"] [unique_id "17870283327848579103"]
====== /#3 ======