On Sun, May 26, 2013 at 5:43 AM, <no.spa@o2.pl> wrote:

I assume that text after --04c1b432-C-- is POST message send to script. I
would like to know what does it mean, to build more specific rules of
mod_security, which will filter ARGS not only filename.

Hi Mike,

That is correct, section C in the audit log shows the request body. You can access the request parameter values directly via the ARGS, ARGS_POST and ARGS_GET collections. If you know how the POST parameter values are encoded you can use one of the available transformation functions in your rule. For example, if the parameter values were base64 encoded you could use something like:

SecRule ARGS "AttackString" "phase:2,id:1,t:none,t:base64Decode,block"

 - Josh