Greetings,

I recently began running into these error messages in my apache logs, and have tracked the blocking of the traffic to this rule-set.  This has not been happening until recently and it appears that clearing cookies resolves the problem. 

My question is if it is in fact a cookie that is causing the problem, how do I narrow down what Cookie it is?

I am trying to get to the root cause instead of just disabling Rule Sets, but I am not sure how this one is working or what cookies could be causing the problem.  I have looked on the web but have not found much information other then shutting the rule off.

[Tue Feb 05 09:48:49 2008] [error] [client 65.206.42.2] ModSecurity: Access denied with code 400 (phase 2). Pattern match "\\\\%(?!$|\\\\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at REQUEST_HEADERS:Cookie. [id "950107"] [

# Check decodings

#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer " <at> validateUrlEncoding" \

#       "chain, deny,log,auditlog,status:400,msg:'URL Encoding Abuse Attack Attempt',,id:'950107',severity:'4'"

#SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS|XML:/*|!REQUEST_HEADERS:Referer "\%(?!$|\W|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})"

Corey M. Bobb

Data Center Manager

Cygnus eTransactions Group Inc.

300 Colonial Center Parkway

Suite 150

Lake Mary, FL  32746

Phone: 321.445.2150

www.cygnus.com