[mod-security-users] ModSecurity 2.5.5 and Wordpress 2.5.1 issue

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

I'm getting these 2 errors with modsecurity 2.5.5 and Wordpress 2.5.1

[Sun Jun 22 11:07:54 2008] [error] [client 192.168.1.1] ModSecurity:
Warning. Operator EQ matched 0 at GLOBAL. [file
"/etc/modsecurity/modsecurity_crs_30_http_policy.conf"] [line "120"] [id
"960903"] [msg "ModSecurity does not support content encodings"] [severity
"WARNING"] [hostname "www.bloglocal.com"] [uri
"/wp-includes/js/tinymce/tiny_mce_config.php"] [unique_id
"NLEVC38AAQEAABnaA2MAAAAF"]

[Sun Jun 22 11:08:57 2008] [error] [client 192.168.1.1] ModSecurity:
Warning. Pattern match
"(?:\\b(?:(?:type\\b\\W*?\\b(?:text\\b\\W*?\\b(?:j(?:ava)?|ecma|vb)|application\\b\\W*?\\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\\b.{0,100}?\\bsrc)\\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|d
..." at ARGS:content. [file
"/etc/modsecurity/modsecurity_crs_40_generic_attacks.conf"] [line "102"] [id
"950004"] [msg "Cross-site Scripting (XSS) Attack"] [data "src=\\x22http:"]
[severity "CRITICAL"] [tag "WEB_ATTACK/XSS"] [hostname "www.bloglocal.com"]
[uri "/wp-admin/admin-ajax.php"] [unique_id "OHc3nX8AAQEAABncBMkAAAAH"]

--------------------------
The first one corresponds to:

SecRule RESPONSE_HEADERS:Content-Encoding "!^Identity$" \
    "phase:4,t:none,pass,log,auditlog,msg:'ModSecurity does not support
content encodings',id:'960903',severity:'4',chain,initcol:global=global"
SecRule &GLOBAL:alerted_960903_compression "@eq 0"
"setvar:global.alerted_960903_compression"

aka: Outbound compressed content will be logged once, to alert the user

Should I just ignore this?
--------------------------

The second one corresponds to:

#
# XSS
#
SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES
"(?:\b(?:(?:type\b\W*?\b(?:text\b\W*?\b(?:j(?:ava)?|ecma|vb)|application\b\W*?\bx-(?:java|vb))script|c(?:opyparentfolder|reatetextrange)|get(?:special|parent)folder|iframe\b.{0,100}?\bsrc)\b|on(?:(?:mo(?:use(?:o(?:ver|ut)|down|move|up)|ve)|key(?:press|down|up)|c(?:hange|lick)|s(?:elec|ubmi)t|(?:un)?load|dragdrop|resize|focus|blur)\b\W*?=|abort\b)|(?:l(?:owsrc\b\W*?\b(?:(?:java|vb)script|shell|http)|ivescript)|(?:href|url)\b\W*?\b(?:(?:java|vb)script|shell)|background-image|mocha):|s(?:(?:tyle\b\W*=.*\bexpression\b\W*|ettimeout\b\W*?)\(|rc\b\W*?\b(?:(?:java|vb)script|shell|http):)|a(?:ctivexobject\b|lert\b\W*?\(|sfunction:))|<(?:(?:body\b.*?\b(?:backgroun|onloa)d|input\b.*?\btype\b\W*?\bimage)\b|
?(?:(?:script|meta)\b|iframe)|!\[cdata\[)|(?:\.(?:(?:execscrip|addimpor)t|(?:fromcharcod|cooki)e|innerhtml)|\@import)\b)"
\

"phase:2,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'Cross-site
Scripting (XSS)
Attack',id:'950004',tag:'WEB_ATTACK/XSS',logdata:'%{TX.0}',severity:'2'"

Can I put a line like this before it to prevent this error from coming up?
SecRule REQUEST_URI "^/wp-admin/" nolog,pass,skip:1
--------------

Thanks in advance!
Cassy