Description
Hi,
i am using ModSecurity with IIS and after some time ModSecurity seems to block requests although it is in detection mode. Blocking probably isn't the correct description as it isn't blocked because of being marked as evil and then discarded, but ModSecurity just hanging for the first in "SendRequest", all others reqeusts in the status "BeginRequest" without ever completing.
I can see all the requests in the IIS "Requests"-page. I attached a screenshot of such a situation. All entries showed as Modulname "ModSecurity IIS (32bits)".
The only solution i've found so far for get it running again is recycling the application pools.
I am using ModSecurity version 2.9.2-64b on Windows 2016 with IIS 10. Multiple webpages and webservices, all based on .NET 4.0, each with its own application pool. As it is a load balanced environment i am using Scaleout for synchronizing the session state between the webservers.
As base rules i am using owasp-modsecurity-crs-3.2-dev and then modified them a little bit for my needs.
I created different configurations for each application because they need different rules. Each rule set is referenced in the web.config of each application.
I have looked into all log files and Eventlog but haven't seen any error which could relate to this problem. ModSecurity doesn't log anything during such a situation.
Until now i don't really have a clue what this could be. The problems seems to occur without seeing any environment correlation. It happens quite randomly.
My best guess so far would be that ModSecurity allocates some ressources which it doesn't release properly, so after some time it runs into a problematic state and then ceases to work.
How can i resolve/analyze this issue further?
Regards