Anonymous - 2012-10-25

We have a complex web app that is all custom and are trying to enable SQLi protection in ModSecurity with the 1.6.1 rules.  The issue we have is false positives due to text in certain URL parameters.

An example is when the string "select" is present in a parameter such as: &availableProperties=&selectedProperties=&workflowpropertiesid=&workflowserviceid=&workflowid=

Where the parameter is "selectedProperties"

What's the best way to craft a rule that can be smarter about detecting FPs like this?