[mod-security-users] REQUEST_COOKIES_NAMES:/regex/ does not work

[Eric W. <mod...@li...>]

Hello all,

We've been scratching our heads trying to whitelist Google cookies that 
are breaking some sites. The rule we are hitting is:

SecRule REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\b(\d+) ?= ?\1\b|[\'\"](\w+)[\'\"] ?= ?[\'\"]\2\b" \
        "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,log,auditlog,msg:'SQL Injection Attack',id:'1234123413',tag:'WEB_ATTACK/SQL_INJECTION',logdata:'%{TX.0}',severity:'2'"

This is the cookie:

Cookie: _gac_UA-5521579-1=1.1522352332.EAlalQobChMI5trKIKSS2gIV0IKzCh2vIQeDEAAYASAAEgICPPD_8wE


This is the error that we are getting:

[Mon Apr 02 15:21:20.137112 2018] [:error] [pid 7908:tid 140248145336064] [client 24.20.122.25] ModSecurity: Warning. Pattern match "\\\\b(\\\\d+) ?= ?\\\\1\\\\b|[\\\\'\\"](\\\\w+)[\\\\'\\"] ?= ?[\\\\'\\"]\\\\2\\\\b" at REQUEST_HEADERS:Cookie. [file "/usr/local/apache/conf/modsec2.user.conf"] [line "98"] [id "1234123413"] [msg "SQL Injection Attack"] [data "1=1"] [severity "CRITICAL"] [tag "WEB_ATTACK/SQL_INJECTION"] [hostname "example.com"] [uri "/"] [unique_id "WsKCsMYURboAAB7kVSwAAADA"]


We have tried the following, but none have worked:

	SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES_NAMES:/_gac_UA-5521579-1/"
	SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES:/_gac_UA-5521579-1/"

	SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/_gac_UA-5521579-1/"

	SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES_NAMES:_gac_UA-5521579-1"
	SecRuleUpdateTargetById 1234123413 "!REQUEST_COOKIES:_gac_UA-5521579-1"


Interestingly, these two work, but are of course too permissive:

	SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:/./"
	SecRuleUpdateTargetById 1234123413 "!REQUEST_HEADERS:Cookie"


We are running ModSecurity 2.9.0 under WHM 58.0.52

Can anyone suggest a way to solve this?

Thank you for your help!

--
Eric Wheeler