Hi guys,

Not being all that experienced with mod_sec, I've set out today to read a load of docs, and write a rule to fix a particular hole in a legacy web application. 

Here is my rule:

SecRule ARGS:domain_name "!@rx (?i:[[:alnum:]\.\-]+)" "log,deny,msg:'argument to domain_name parameter disallowed'"

At the moment, the rule is triggered if the domain_name variable is blank, but not if I put in something like <script>alert('xss')</script>

The audit log shows this when matching the blank argument:

Message: Access denied with code 501 (phase 4). Match of "rx (?i:[[:alnum:]\\.\\-]+)" against "ARGS:domain_name" required. [msg "argument to domain_name parameter disallowed"]


Can anyone suggest what I'm doing wrong, and how I can ensure that the argument to the domain_name= parameter matches [[:alnum:]\.\-]+ and nothing else.

Thanks.  Tom