turning off filter for xml in post payload

It seems this rule is trapping xml in postpayloads,

SecRule REQUEST_FILENAME|ARGS|ARGS_NAMES|REQUEST_HEADERS "(?:(?:\b(?:f(?:tp_(?:nb_)?f?(?:ge|pu)t|get(?:s?s|c)|scanf|write|open|read)|gz(?:(?:encod|writ)e|compress|open|read)|s(?:ession_start|candir)|read(?:(?:gz)?file|dir)|move_uploaded_file|(?:proc_|bz)open)|\$_(?:(?:pos|ge)t|session))\b|<\?)" \

        "auditlog,id:50013,phase:2,severity:4,msg:'(default/generic_attacks.conf) PHP Injection Attack'"

is there a way to add to allow xml of <?xml in that rule or would this be correct ?


#SecRule !ARGS:TNO "chain,auditlog,id:50013,severity:4,msg:'(custom.conf) PHP Injection Attack'"
SecRule ARGS:TNO "!(<\?xml)" "chain,auditlog,id:50013,severity:4,msg:'(custom.conf) PHP Injection Attack'"

the first one didnt work

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV_______________________________________________
mod-security-users mailing list
mod-security-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/mod-security-users