Just wanted to share my mod_security local rules that help it play nice with Drupal.

The following rules I've placed in modsecurity_localrules.conf in my mod_security directory (located in /etc/httpd/modsecurity.d on Fedora and CentOS). I'm using Fedora 11, with Apache 2.2.13, mod_security 2.5.10, and Core Rule Set (CRS) 2.0.2:

# Drupal rules

# Drupal 6 ajax admin pages
#
SecRule REQUEST_URI ".*admin/build/views/ajax/.*" phase:1,log,pass,ctl:ruleEngine=Off
SecRule REQUEST_URI ".*admin/settings/gmap_location$" phase:1,log,pass,ctl:ruleEngine=Off

# Drupal System CSS pages
#
SecRule REQUEST_URI "/modules/system/.*" phase:1,log,pass,ctl:ruleEngine=Off

# Drupal node editing (FIXME - too loose. Tighten up)
#
SecRule REQUEST_URI "/node/.*/edit" phase:1,log,pass,ctl:ruleEngine=Off

# Fix some Drupal posting stuff in phpids (remove 'name' from regex)
#
SecRule REQUEST_BODY|REQUEST_URI_RAW|XML:/* "([^*:\s\w,.\/?+-]\s*)?(?<![a-z]\s)(?<![a-z\/_@>\|])(\s*return\s*)?(?:hash|href|navigateandfind|source|pathname|close|constructor|port|protocol|assign|replace|back|forward|document|ownerdocument|window|self|parent|frames|_?content|date|cookie|innerhtml|innertext|csstext+?|outerhtml|print|moveby|resizeto|createstylesheet|stylesheets)(?(1)[^\w%\"]|(?:\s*[^@\/\s\w%,.+\-]))" "phase:2,capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:replaceComments,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,nolog,auditlog,msg:'Detects JavaScript object properties and methods',id:'phpids-local_17',tag:'WEB_ATTACK',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+20,setvar:tx.%{rule.id}-WEB_ATTACK-%{matched_var_name}=%{matched_var}"
SecRuleRemoveById phpids-17
 
# Remove tight security rule (prohibits http|ftp in comments forms)
SecRuleRemoveById 950117

Watch the line wrap on those rules. The phpids-17 rule you should probably just copy from base_rules/modsecurity_crs_41_phpids_filters.conf

These rules may be a little too loose for your taste, but they will get a basic Drupal site working with mod_security. If you have more modules enabled you will probably have to tweak them a little more, but these should get you started.

Hope this helps.

Regards,
Flux aka Andy
Co-Founder, Music Integrated Clothing
http://www.miclothing.com