I guess you should combine previous rule with this one: 
SecRule REQUEST_HEADERS:User-Agent "curl" "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=990012"
+
SecRule REQUEST_FILENAME "^/blog/2007/11/20/blue-tongue-harmonica-talk-cd/(index.php)?$" "nolog,pass,ctl:RuleRemoveById=958821"


SecRule REQUEST_FILENAME "^/blog/2007/11/20/blue-tongue-harmonica-talk-cd/(index.php)?$"  REQUEST_HEADERS:User-Agent "curl" "nolog,pass,ctl:RuleRemoveById=958821"

I found a rule on cpanel forums which uses some REQUESTS directives on the same rule: http://forums.cpanel.net/f5/mod_security-version-222541.html


# Restricted HTTP headers 
SecRule REQUEST_HEADERS_NAMES "\.(?:Lock-Token|Translate|If)$" \
    "deny,log,auditlog,msg:'HTTP header is restricted by policy',id:'960038',severity:'4'"

SecRule HTTP_User-Agent "(?:\b(?:m(?:ozilla\/4\.0 \(compatible\)|etis)|webtrends security analyzer|pmafind)\b|n(?:-stealth|sauditor|essus|ikto)|b(?:lack ?widow|rutus|ilbo)|(?:jaascoi|paro)s|internet explorer|webinspect|\.nasl)" \
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990002',severity:'2'"
SecRule REQUEST_HEADERS_NAMES "\bacunetix-product\b" \
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990901',severity:'2'"
SecRule REQUEST_FILENAME "^/nessustest" \
        "deny,log,auditlog,msg:'Request Indicates a Security Scanner Scanned the Site',id:'990902',severity:'2'"

In this snippet you see under the same rule id (990902) is using HTTP_User-Agent directive with  REQUEST_FILENAME but with different lines. I think rules with the same id are checked at the same time but  someone more experienced mod_security rules development could tell if I´m right.

Kind regards,


2013/10/30 Josh Amishav-Zlatin <jamuse@owasp.org>
On Tue, Oct 29, 2013 at 7:59 PM, Jose Pablo Valcárcel Lázaro <pablo.valcarcel1980@gmail.com> wrote:
Here you can find a link where author manage a false positive removing rule id under some circustances (in this case, trying to access a file) :https://blog.chesterton.id.au/2011/03/21/mod_security-false-positives/

SecRule REQUEST_FILENAME "^/blog/2007/11/20/blue-tongue-harmonica-talk-cd/(index.php)?$" "nolog,pass,ctl:RuleRemoveById=958821"

Could you do something similar in your rule? 

Hi Dirk,

Yes. Can you send me an auditlog for the issue your having?

--
 - Josh
 

Kind regards,


2013/10/29 Josh Amishav-Zlatin <jamuse@owasp.org>
On Mon, Oct 28, 2013 at 11:01 AM, Dirk <dc-sec@eurodata.de> wrote:
Am 18.10.2013 09:15, schrieb DC:
Hello,

I have (too) many Log-Entries from Rule-Id "981203" in the Webserver error.log.
Now, I would change/update the Action "log,noauditlog" from Rule-ID "981203" with SecRuleUpdateActionById.
I have appended the following Rule (in modsecurity_crs_60_ED_Rules.conf)
 
after the Original-Rule (in modsecurity_crs_60_correlation.conf)
but it doesn't work.

SecRuleUpdateActionById 981203 "chain,noauditlog,nolog,ctl:auditEngine=off"


Hi Dirk,

If your disabling the audit engine why not just use SecRuleRemoveById?

--
 - Josh
 
Any idea ?

Regards
 Dirk



Ubuntu: 12.04
Apache2: 2.2.22
ModSecurity-Version:  2.7.5
Core-Rule-Version: 2.2.8

modsecurity_crs_60_correlation.conf
#
# Correlated Attack Attempt
#
SecRule TX:INBOUND_ANOMALY_SCORE "@gt 0" \
    "chain,phase:5,id:'981203',t:none,log,noauditlog,pass,skipAfter:END_CORRELATION,msg:'Inbound Anomaly Score (Total Inbound Score: %{TX.INBOUND_ANOMALY_SCORE}, SQLi=%{TX.SQL_INJECTION_SCORE}, XSS=%{TX.XSS_SCORE}): %{tx.inbound_tx_msg}'"
        SecRule TX:INBOUND_ANOMALY_SCORE "@lt %{tx.inbound_anomaly_score_level}"

modsecurity_crs_60_ED_Rules.conf
#
# modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0):
# Avoid Logging to the  error.log 
#
# Note : If the target rule is a chained rule, you must currently specify
#        chain in the SecRuleUpdateActionById action list as well.
#        This will be fixed in a future version.
SecRuleUpdateActionById 981203 "chain,noauditlog,nolog,ctl:auditEngine=off"


error.log
[Thu Oct 17 13:21:46 2013] [error] [client xxx.xxx.xxx.xxx] ModSecurity: Warning. Operator LT matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity/rules-enabled/modsecurity_crs_60_correlation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inbound Score: 3, SQLi=0, XSS=0): Common SPAM/Email Harvester crawler"] [hostname "xxx.xxxxxxx.xx"] [uri "/menu/NBMAAJvP_W11WnN6TnpzZkJDDAA"] [unique_id "Ul-IStRZk3EAAEd9EDQAAAAE"]

modsec_debug.log
NO entries found with/for "SecRuleUpdateActionById"
# grep -i SecRuleUpdateActionById modsec_debug.log
#

# grep Debug /etc/apache2/modsecurity/rules-enabled/modsecurity_crs_11_ED_config.conf
# -- Debug log configuration -------------------------------------------------
SecDebugLog            /var/log/apache2/security/modsec_debug.log
SecDebugLogLevel       10





------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk


_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/


------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk

_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/



------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs:
http://www.modsecurity.org/projects/commercial/rules/
http://www.modsecurity.org/projects/commercial/support/