# Apache ModSecurity rules for IIS
SecRuleEngine On
SecRule REQUEST_URI "@lt 1" "id:1274,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 1" "id:1275,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@rx [a-z]:x5cinetpubb" "id:1276,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@rx (?:Microsoft OLE DB Provider for SQL Server(?:.{1,20}?error '800(?:04005|40e31)'.{1,40}?Timeout expired| (0x80040e31)
Timeout expired
)|internal server error
.*?part of the server has crashed or it has a configuration error.
|cannot connect to the server: timed out)" "id:1277,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@pmFromFile iis-errors.data" "id:1278,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "!@rx ^404$" "id:1279,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@rx bServer Error in.{0,50}?bApplicationb" "id:1280,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1281,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 2" "id:1282,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1283,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 3" "id:1284,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1285,phase:1,deny,status:403,log,msg:'iis attack detected'"
SecRule REQUEST_URI "@lt 4" "id:1286,phase:1,deny,status:403,log,msg:'iis attack detected'"