Hi Ryan and Brian,
Thank you for taking the time to respond - especially on a Sunday! :)
Ryan - thank you for the link to "Rule Differences", very helpful, in fact it helped clarify the & operator for me - yay. It seems counting the headers also works for an empty header - at least in testing. I'll check into this some more.
Brian - thanks for pointing out the main config stuff - I need to pay more attention to getting the global configs set correctly.
It would seem ARGS needs the @rx operator set to work correctly OR I did not have the phase set correctly (I was trying several things at a time).
Nolog: I think I am cheating here but by using 2 different status codes and only logging one (SecAuditLogRelevantStatus) I can get exactly the behavior I desire.
If you have a moment a couple of quick questions...
* Would it be easier to just forget about setting each rules' phase and just let mod_sec just figure it out?
* Is there a setting to have modsec only look at scripts and ignore html/images
* Is there a way to test rules in htaccess so I don't have to restart apache 100 times a day :)
Oh, and in case no one said it recently, thank you for making modsec open source!
Note: This email is CONFIDENTIAL and contains information intended only for the party to whom it is addressed. No reproduction of this email may be made without the written consent of the original sender.