im still going through the rules , this seems to create a false positive for pda phones

Message: Warning. Pattern match "(?:[\\+\\@\\%#\"\\']|\\|\\||\\-\\-)" at REQUEST_HEADERS:x-wap-profile-diff. [id "50905"] [msg "(default/generic_attacks.conf) SQL Injection Attack"] [severity "WARNING"]

x-wap-profile-diff: 1; <?xml version="1.0" encoding="iso-8859-1"?><rdf:RDF xmlns:rdf="" xmlns:rdfs="" xmlns:prf="
#"><rdf:Description rdf:ID="DeviceProfile"><prf:component><rdf:Description rdf:ID="BrowserUA"><prf:TablesCapable>No</prf:TablesCapable><prf:JavaScriptEnabled>No</prf:JavaScriptEnabled></rdf:Description></prf:component></rdf:Description></rdf:RDF>

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|!REQUEST_HEADERS:Referer "\b(?:rel(?:(?:nam|typ)e|kind)|a(?:ttn(?:ame|um)|scii)|c(?:o(?:nver|un)t|ha?r)|s(?:hutdown|elect)|to_(?:numbe|cha)r|u(?:pdate|nion)|d(?:elete|rop)|group\b\W*\bby|having|insert|length|where)\b" \

        "chain,auditlog,id:50905,severity:4,msg:'(default/generic_attacks.conf) SQL Injection Attack'"


any ideas what this is doin , i had to turn it off for a location ?

Ofer Shezaf wrote:


'SecFilterEngine' is a 1.9.x directive. You got it right and SecRuleEngine is the correct directive for ModSecurity 2.x. Sorry for the typo.


~ Ofer


From: [] On Behalf Of Dan Rossi
Sent: Monday, November 27, 2006 8:15 AM
To: Ivan Ristic
Subject: Re: [mod-security-users] mod-security-users Digest, Vol 6, Issue 22


Ivan Ristic wrote:

On 11/21/06, Dan Rossi <> wrote:

Ivan Ristic wrote:
> It is documented and it works. However, "SecFilterInheritance"
> prevents the rules from being inherited from the parent context but it
> does nothing to the configuration options. The configuration settings
> are always inherited. If you want something different to happen just
> provide different configuration. So, in your case you could do
> something like:
> <Location /signup>
> SecFilterInheritance Off
> SecFilterForceByteRange 0 255
> </Location>

Ok what im saying here is, every rule set as default will have to be
overwritten as u have here, ie the ones we need to override for etc, so
mod sec cant be turned off per virtualhost for instance ?

Sure it can:

<VirtualHost whatever>
   SecFilterEngine Off
   SecAuditEngine Off

Hi Ivan, i just put these rules  inside virtualhost for mod sec 2 and i get this

Invalid command 'SecFilterEngine', perhaps mis-spelled or defined by a module not included in the server configuration

if i do

SecRuleEngine Off
SecAuditEngine Off

its ok however for some of our zend encoded files something happens with the posts, i dont get any errors but it seems modsec is doing something even though ive turned if off in that path and redirects back to the file . I cant go into the code and look because its encoded and there is no log :\