ModSecurity rules and false positives - Joomla! Forum - community, help and support

hi folks,

from time time recheck security vulnerabilities , ways protected. today reviewed modsecurity configuration on server , test machines. both have joomla 2.5.8 installs running fine on ubuntu 10.04 , 12.04 mod_evasive , mod_security enabled apache2.

reading recent articles on modsecurity decided try updated rules, configured on /etc/apache2/conf.d/security. working rules reside on /etc/apache2/mod_security_rules/*.conf , new ones (updated today) put on /etc/apache2/rules/*.conf , /etc/apache2/rules/base_rules/*.conf.

every time try use new rules unable log on admin area, generating 403 error , server log produces following message:

code: select all

modsecurity: access denied code 403 (phase 2) ... many things later... file "/etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf"] [line "171"] [id "981173"] [rev "2.2.5"] [msg "restricted sql character anomaly detection alert - total # of special characters exceeded"]...

looking @ /etc/modsecurity/activated_rules/modsecurity_crs_41_sql_injection_attacks.conf file, see:

code: select all

# [ sql injection character anomaly usage ]
#
# these rules attempted gauge when there exccesive use of
# meta-characters within single parameter payload.
#
# false positive instances free-form text fields.
# adjust the @ge operator value appropriately site.  increasing
# score reduce false positives may decrease detection of
# obfuscated attack payloads.
#
secrule request_cookies|!request_cookies:/__utm/|request_cookies_names "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>]$

secrule args_names|args|xml:/* "([\~\!\@\#\$\%\^\&\*\(\)\-\+\=\{\}\[\]\|\:\;\"\'\´\’\‘\`\<\>].*){4,}" "phase:2,t:none,t:urldecodeuni,$


this last secrule args_names|args|xml line referred "line 171".

as knowlege not master, i'd fancy on how solve this.

has of passed similar problem?