Forgot to post the rules I'm testing :
<rule id="130117" level="7"> <if_sid>30101</if_sid> <regex>^[error] [client \S+ mod_security: Access denied with code 500.</regex> <description>Attempt to access forbidden by Mod Security.</description> </rule> <rule id="130118" level="14" frequency="6" timeframe="120"> <if_matched_sid>130117</if_matched_sid> <same_source_ip /> <description>Multiple attempts blocked by Mod Security</description> </rule>
