Greetings all,

I'm experimenting with the OWASP ruleset to protect a Joomla site and am running into a rule error that I'm having difficulty creating an exception for.  Hopefully someone here can shed some light on what I'm doing wrong.

The rule in question is 981173:

SecRule ARGS_NAMES|ARGS|XML:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*?){4,}" "phase:2,t:none,t:urlDecodeUni,block,id:'981173',rev:'2',ver:'OWASP_CRS/2.2.9',maturity:'9',accuracy:'8',msg:'Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded',capture,logdata:'Matched Data: %{TX.1} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',tag:'OWASP_CRS/WEB_ATTACK/SQL_INJECTION',setvar:tx.anomaly_score=+%{tx.warning_anomaly_score},setvar:tx.sql_injection_score=+1,setvar:'tx.msg=%{rule.msg}',setvar:tx.%{}-OWASP_CRS/WEB_ATTACK/RESTRICTED_SQLI_CHARS-%{matched_var_name}=%{tx.0}"

For those familiar with Joomla, I'm tripping this rule by logging into the admin console, opening the add user section, and then clicking cancel.  modsec_debug log shows the following:

[20/May/2014:09:56:27 --0500] [testhost/sid#7f9733f2e6e8][rid#7f97342617f8][/administrator/index.php][1] Access denied with code 406 (phase 2). Pattern match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS_NAMES:jform[groups][]. [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted SQL Character Anomaly Detection Alert - Total # of special characters exceeded"] [data "Matched Data: ] found within ARGS_NAMES:jform[groups][]: jform[groups][]"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"]

I have tried to create a rule exception [the old way] by adding a SecRuleRemoveById declaration and adding !ARGS_NAMES:/jform[groups]/ to the list for said rule, which didn't work.  I thought maybe it was interpreting the square brackets as a character class and tried escaping them.  No dice there either.  What do I need to do to create an exception for this rule?  I really don't have the luxury in disabling the rule in and of itself unfortunately.

FWIW, I also attempted to write a rule such as the following:

SecRule TX:'/^981173.*ARGS_NAMES:jform[groups]/' ".*" "id:11,chain,phase:2,t:none,nolog,pass"
      SecRule MATCHED_VAR_NAME "TX\:(.*)" "capture,t:none,setvar:!tx.%{tx.1},setvar:tx.anomaly_score="-20"

Which also doesn't work unfortunately.

Thanks in advance for any help or suggesions