It seems this rule is trapping xml in postpayloads,

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?)" \

        "auditlog,id:50013,phase:2,severity:4,msg:'(default/generic_attacks.conf) PHP Injection Attack'"

is there a way to add to allow xml of <?xml in that rule or would this be correct ?


#SecRule !ARGS:TNO "chain,auditlog,id:50013,severity:4,msg:'(custom.conf) PHP Injection Attack'"
SecRule ARGS:TNO "!(<\?xml)" "chain,auditlog,id:50013,severity:4,msg:'(custom.conf) PHP Injection Attack'"

the first one didnt work