[mod-security-users] ruleRemoveTargetByTag - am I misunderstanding how it works?

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi all,

I'm new at modsec rules, but I'm fairly certain I've tried all I can on this one. Upgraded to 3.0.2 to get the various fixes there, and have created the rule chain below. The intention is to ignore all instances of the parameter TermURL (whether GET or POST at the moment) for all other rules with the attack-slqi/rce/xss tag set.

The below is listed above all the CRS rules in the configuration.
I suspect the tags should be quoted, as I see tags are quoted in other examples - but that gives an error.

SecRule REQUEST_URI "@beginsWith /mdpayacs/pareq" \
    "phase:1,id:1003,t:none,pass,nolog,chain,\
        ctl:ruleRemoveTargetByTag=attack-sqli;ARGS:TermURL,\
        ctl:ruleRemoveTargetByTag=attack-rce;ARGS:TermURL,\
        ctl:ruleRemoveTargetByTag=attack-xss;ARGS:TermURL"
            SecRule ARGS:TermURL "@beginsWith http" "t:none"

Can anyone help me determine what is wrong here? I'm still being flooded with notifications despite the above..

Wbr
/Eirik