[Modsecurity] Help with falase positive please

[Who Knows]

Who Knows wrote:
> I attempted to reply to a PNphpBB@ forum message with the following 
> contents:
> "the word from working in quick reply does it work here too?"
> The audit record and rule are shown below.
> It is easy to see why rule 300016 triggered, because any post reply to 
> the PNphpBB2 postnuke forum will trigger 300016 if it contains the 
> word or sequence of characters "from".
>
> What I don't understand is why it reached rule 300016 intially since 
> rule 300015 chains to 300016.
> Doesn't that mean rule 300016 is only evaluated if rule 300015 is a 
> hit? Or am I simply mistaken?
>
> There is an exculsion in exclude.conf:
> #PhpBB posting
> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
> SecFilterRemove 300013
> </LocationMatch>
>
> I changed it to:
> #PhpBB posting
> <LocationMatch "/index.php?name=PNphpBB2&file=posting&mode=reply.*">
> SecFilterRemove 300013
> SecFilterRemove 300016
> </LocationMatch>
>
> And I am still getting the audit hits. I expect the Location match 
> syntax isn't
> right, and I am continuing to test, but if anyone has some words of 
> wisdom I would apppreciate it.
> I already had to turn security off for one entire virtual host until I 
> resolve this issue.
Okay, I found the answer to the LocationMatch issue ( i think ), but if 
my answer is correct many of the
current exclusions are not working and we'll find it quite difficult to 
create precise exclusions. According
to a post regarding LocationMatch in another problematic expression it 
was noted that,
"<LocationMatch> directive does not look at the query string as part of 
the URL" therefore the above
and MANY other exclusions are not working.