The rule you want to use i beleive is 973020

I think rule 981173 cannot be used to identify a specific target but keeps a score of the times a suspicious character was (as identified by the rules below 973020)  found - so the below rule stops those rules from being run against that named cookie

SecRule REQUEST_HEADERS:Host "!@rx (^$)" \

On 26/08/11 16:00, Organic Spider wrote:
Changed but it is still being hit. Looking in the audit log it has:

[26/Aug/2011:10:55:48 --0400] Tlez838eCIcAAFhaAg0AAAAD 3371 80
GET /js/ HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Cookie: last_visit=1314356268; last_activity=1314370547; tracker=a%3A5%3A%7Bi%3A0%3Bs%3A6%3A%22people%22%3Bi%3A1%3Bs%3A7%3A%22content%22%3Bi%3A2%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A3%3Bs%3A14%3A%22pages%2Fservices%22%3Bi%3A4%3Bs%3A11%3A%22pages%2Fabout%22%3B%7D;
If-Modified-Since: Fri, 26 Aug 2011 14:55:12 GMT
Authorization: Basic aGtzdHJhdGVnaWVzOklMNXRyYXQ=

HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.6
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 26 Aug 2011 14:55:48 GMT
Pragma: no-cache
Content-Type: text/javascript
Set-Cookie: last_activity=1314370547; expires=Sat, 25-Aug-2012 14:55:47 GMT; path=/
Set-Cookie: tracker=a%3A5%3A%7Bi%3A0%3Bs%3A2%3A%22js%22%3Bi%3A1%3Bs%3A6%3A%22people%22%3Bi%3A2%3Bs%3A7%3A%22content%22%3Bi%3A3%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A4%3Bs%3A14%3A%22pages%2Fservices%22%3B%7D; path=/
Set-Cookie: tracker=a%3A4%3A%7Bi%3A0%3Bs%3A6%3A%22people%22%3Bi%3A1%3Bs%3A7%3A%22content%22%3Bi%3A2%3Bs%3A11%3A%22pages%2Fabout%22%3Bi%3A3%3Bs%3A14%3A%22pages%2Fservices%22%3B%7D; path=/
Connection: close
Transfer-Encoding: chunked

Message: Warning. Operator GE matched 4 at TX:restricted_sqli_char_count. [file "/usr/local/httpd-2.2.19/modsecurity/rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "551"] [id "981173"] [rev "2.2.1"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "5"]

To me it is the setting of the tracker cookie which is causing the warning to be thrown. Am I reading it correctly ?
------------------------------------------------------------------------------ EMC VNX: the world's simplest storage, starting under $10K The only unified storage solution that offers unified management Up to 160% more powerful than alternatives and 25% more efficient. Guaranteed.
_______________________________________________ mod-security-users mailing list ModSecurity Services from Trustwave's SpiderLabs: