Share this post
FaceBook  Twitter  

It is not a good idea to simply disable an entire mod_security rule when it triggers a false positive. Often, the rule is only triggered by a particular argument. In this case, it's best to update the rule to disable it only for the particular argument which is triggering the false positive. You can do this using the SecRuleUpdateTargetById configuration directive.

SecRuleUpdateTargetById $RULE_ID !ARGS:'$ARGUMENT'

and mod_security will not apply rule $RULE_ID to argument $ARGUMENT.

NOTE: I found that single quotes were required. The rule did not work when double quotes were used.

For example, I found that the Google Campaign Experiments was double encoding the utm_referrer argument, causing mod_security to trigger. I disabled the Multiple URL Encoding rule only for the utm_referrer argument using the configuration:

SecRuleUpdateTargetById 950109 !ARGS:'utm_referrer'