I think you have two choices:

1 - Call the rule also into <Directory>
2 - Put SecUpdateTargetByID in the main context.

This is a known issue: https://github.com/SpiderLabs/ModSecurity/issues/89



On Thu, Aug 8, 2013 at 2:59 PM, Kelvin Yang <KYang@appsecinc.com> wrote:
Hello everyone,

I am new to modsecurity and would like some help. I am trying to fix a false positive using SecRuleUpdateTargetById.

My modsecurity is 2.6.8 and I am using OWASP CRS 2.2.5 on CentOS.

Following https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#wiki-SecRuleUpdateTargetById, I have the following in a file called modsecurity_crs_15_customrules.conf.

<Directory "/var/www/mywebsite/">
SecRuleUpdateTargetById 981172 "!REQUEST_COOKIES:/_cookietoignore_/"

No matter how I slice it, I cannot get this to work with modsecurity_crs_15 customrules.conf file. I tried it with the directive and without and nothing worked. After awhile, I decided to put the rule (without the directive) in mod_security.conf under /etc/httpd/. Putting the rule in mod_security.conf worked. Modsecurity ignores the cookie.

Does anyone know why the customrules config file is not working? I can confirm that mod_security.conf has an include for the file so it is reading it.

Thank you,

Get 100% visibility into Java/.NET code with AppDynamics Lite!
It's a free troubleshooting tool designed for production.
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
mod-security-users mailing list
Commercial ModSecurity Rules and Support from Trustwave's SpiderLabs: