You need to enable ModSecurity in your web.config
file by adding the following configuration element to the <system.webServer>
section:
<ModSecurity enabled="true"
configFile="c:\inetpub\wwwroot\owasp_crs\modsecurity_iis.conf" />
Also, out of the box, the rule engine only runs in "detection mode" (and still logs problem requests to the Application event log) so as not to disrupt your live sites with false positives.
To allow ModSecurity to take action such as blocking, denying etc you need to change the SecRuleEngine
directive from:
SecRuleEngine DetectionOnly
to
SecRuleEngine On
You can find this setting in:
C:\inetpub\wwwroot\owasp_crs\modsecurity.conf
Before you can edit this file you need to remove the read-only attribute. You'll also need to run your editor as Administrator as well.