erratic http error code

Hi,

I've got a problem with one of my modsecurity2 rules, though I'm not
sure if this my error of even a bug.

Here's my setup: Apache2.0.54 on Debian Etch (pre3.2) with
modsecurity2.0.4 from Alberto's deb-packages. I've seen the error
before, with modsecurity2.0.3 (the "stable" download) that I compiled
myself.

Here's my DefaultAction:

SecDefaultAction log,auditlog,deny,status:400,\
phase:2,t:lowercase,t:replaceNulls,t:compressWhitespace

Please note the status:400!


Now I've written a rule to protect a very old guestbook from spam:

<Location "/spanien/guest/guest.php">
SecRule ARGS "http"\
"deny,log,id:66023,severity:5,msg:'Spam',exec:/etc/modsecurity/ip-blacklist.pl"
</Location>

The rule is a bit harsh, I know - but it is effective if you let your
real visitors know not to post any links.

Now the problem: Modsecurity2 blocks hits for that rule with status 403,
not with the predefined status 400. Here's what my logcheck report looks
like:

[Fri Nov 24 13:37:42 2006] [error] [client <SOMEIP>] ModSecurity: Access
denied with code 403 (phase 2). Pattern match "http" at ARGS:homepage.
[id "66023"] [msg "Spam"] [severity "NOTICE"] [hostname "<MYHOST>"] [uri
"/spanien/guest/guest.php"] [unique_id "czLZNH8AAAEAAFH@BRoAAAAE"]

I've already tried to redefine the status:400 in my rule, with no
effect. Could somebody please give me a hint? I'll be happy to post
relevant parts of audit.log, if neccessary.

Regards,
Felix

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV