Dear All,
I m trying to configure a whitelist with the following rule:

SecRule REQUEST_URI "@beginsWith /?cmd=blabla" "chain,phase:2,id:1999005,allow,log,t:none,t:urlDecode,t:lowercase,t:normalizePath,ctl:ruleRemoveByTag=OWASP_CRS/WEB_ATTACK/SQL_INJECTION;ARGS_NAMES:.*fupdate.*"
    SecRule REQUEST_METHOD "@eq POST" "t:none"
SecRule REQUEST_URI "@beginsWith /?cmd=blabla" "chain,phase:2,id:1999006,allow,log,t:none,t:urlDecode,t:lowercase,t:normalizePath,ctl:ruleRemoveByTag=OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS;ARGS_NAMES:.*fupdate.*"
    SecRule REQUEST_METHOD "@eq POST" "t:none"

In my understanding this should whitelist with the following conditions:
- The URL begins with /?cmd=blablabla
- For the argument called fupgrade.*
- In phase 2 (POST contents from
- Only for POST requests

But unfortunately it is not working at all.

I also tried the following :
- ;ARGS_NAMES:fupdate
- ;ARGS_NAMES:fupdate[.*][.*]
- No ARGS_NAMES !!! -> still ctached and blocked (there i am lost)
- phase:3
(i also noticed that using ARGS-NAMES (by error) did not send any error :/

It is working in "phase:1" BUT if i do that the whole URL with any argument POST/GET is whitelisted :(

In my opinion this is caused by the fact that the           fupgrade argument contains [].
(not 100% sure because when i remove the ARGS_NAMES parameter it is still blocked)

Below are a parts of the logs specifying that deny:

[Fri May 02 17:03:16 2014] [error] [client X.X.X.X] ModSecurity: Warning. Pattern match "([\\\\~\\\\!\\\\@\\\\#\\\\$\\\\%\\\\^\\\\&\\\\*\\\\(\\\\)\\\\-\\\\+\\\\=\\\\{\\\\}\\\\[\\\\]\\\\|\\\\:\\\\;\\"\\\\'\\\\\\xc2\\xb4\\\\\\xe2\\x80\\x99\\\\\\xe2\\x80\\x98\\\\`\\\\<\\\\>].*?){4,}" at ARGS_NAMES:fupgrade[1][new_qty]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "159"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: ] found within ARGS_NAMES:fupgrade[1][new_qty]: fupgrade[1][new_qty]"] [ver "OWASP_CRS/2.2.9"] [maturity "9"] [accuracy "8"] [tag "OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [hostname ""] [uri "/"] [unique_id "U2OztH8AAAEAADO-JnAAAAAE"]

Any help would be much appreciated!!!