[Mod-security-report-false-positives] Rule ID 981244

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

There is a page on our website called Individual...  ModSecurity is generating a false positive because the page name contains the word div, I have included the logs below.  Is there any way to exclude a parameter from a rule if it contains a certain text string.

I know this wont work but it is an example of what I am trying to do :  SecRuleUpdateTargetById 981244 !ARGS:pageType "@contains div".

Message: Warning. Pattern match "(?i:(?:\\d(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s+\\d)|(?:^admin\\s*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)|(\\/\\*)+(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)+\\s?(?:--|#|\\/\\*|{)?)|(?:(\"|'| ..." at ARGS:pageType. [file "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"] [line "533"] [id "981244"] [msg "Detects basic SQL authentication bypass attempts 1/3"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Warning. Pattern match "(?i:(?:(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\s*\\*.+(?:x?or|div|like|between|and|id)\\W*(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)\\d)|(?:\\^(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98))|(?:^[\\w\\s(\"|'|`|\xc2\xb4|\xe2\x80\x99|\xe2\x80\x98)-]+( ..." at ARGS:pageType. [file "/etc/apache2/modsecurity_crs/modsecurity_crs_41_sql_injection_attacks.conf"] [line "573"] [id "981243"] [msg "Detects classic SQL injection probings 2/2"] [data "div"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQLI"] [tag "WEB_ATTACK/ID"] [tag "WEB_ATTACK/LFI"]
Message: Warning. Operator GE matched 5 at TX:inbound_anomaly_score. [file "/etc/apache2/modsecurity_crs/modsecurity_crs_60_correlation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 13, SQLi=, XSS=): 981243-Detects classic SQL injection probings 2/2"]
Apache-Handler: proxy-server
Stopwatch: 1326169975607617 51819 (- - -)
Stopwatch2: 1326169975607617 51819; combined=4777, p1=174, p2=4443, p3=1, p4=59, p5=100, sr=45, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
Producer: ModSecurity for Apache/2.6.0 (http://www.modsecurity.org/); core ruleset/2.2.3.
Server: Apache/2.2.17 (

________________________________
This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.