hi i would like to turn this rule off being triggered by the referer header so passthrough if its a referer header for a location as its seem to trapping,


SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:[\;\|]\W*?\b(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id))\b|\b(?:(?:n(?:et(?:\b\W*?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|w(?:g(?:uest\.exe|et)|sh\.exe)|(?:rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\\\/c)|hmod\b\.{1,100}?\+.{1,3}x|d\b(?:\W*?\\\/|\W*\b..))))" \

        "deny,auditlog,id:50006,severity:4,msg:'(default/generic_attacks.conf) System Command Injection'"



im not very crash hot with my regexp, is this right ?

SecRule REQUEST_HEADERS "!(Referer)" "chain,deny,auditlog,id:50006,severity:4,msg:'(custom.conf) System Command Injection'"
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:[\;\|]\W*?\b(?:c(?:h(?:grp|mod|own|sh)|md|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id)|\/(?:c(?:h(?:grp|mod|own|sh)|pp|c)|p(?:asswd|ython|erl|ing|s)|n(?:asm|map|c)|f(?:inger|tp)|(?:kil|mai)l|g(?:\+\+|cc)|(?:xte)?rm|ls(?:of)?|telnet|uname|echo|id))\b|\b(?:(?:n(?:et(?:\b\W*?\blocalgroup|\.exe)|(?:map|c)\.exe)|t(?:racer(?:oute|t)|elnet\.exe|clsh8?|ftp)|w(?:g(?:uest\.exe|et)|sh\.exe)|(?:rcmd|ftp)\.exe|echo\b\W*?\by+)\b|c(?:md(?:(?:32)?\.exe\b|\b\W*?\\\/c)|hmod\b\.{1,100}?\+.{1,3}x|d\b(?:\W*?\\\/|\W*\b..))))" \

        "deny,auditlog,id:50006,severity:4,msg:'(default/generic_attacks.conf) System Command Injection'"


it seems i have to do this for alot of rules and locations, id rather not have to copy over the entire rule to override, just chain a rule by its id, is it possible ?