I have a big issue with modsecurity detecting a simple Remote Command Execution.
My WAF config is Modsecurity 2.7.1 with core rules based on scoring but however i don t have any logging for that request:

GET http://OBFUSCATED/application.pl?action=deleteaccount&username=%60ls%20/root/%20%3E%20/tmp/root%60&redirectionemail= HTTP/1.1

(also work for mail my@email.Com < /etc/shadow)

It is simple not detected in logs!!!
I clearly don t understand why... it should be triggered by the "common attack" rules of the CRS activated rules in my opinion.

I need to do a kind of "virtual patching".
What i want to do would be as fast as possible being able to filter the following caracters il ARGS:

< > ; | `

I tried this without sucess:
SecRule ARGS "(;|\||\`)" "phase:3,t:none,log,deny,id:5000148"

SecRule ARGS ";" "phase:3,t:none,log,deny,id:5000148"
(i tried it with phase 2 or 1 attack still succeed)

Another interesting option could be to increase the score only for that virtual host but i don t think it would be helpful as it is not detected.

Any help would be much appreciated !

Many thanks

David R