Hello

I have to deal with false positives customization...

For the exception based on LocationMatch + SecRuleRemoveById no problems!
But when i need to whitelist a POST/GET parameter i encounter troubles.

I tried much possibilities but none of them succeed. (Apache restarts but my whitelisted argument is not considered (still filtered)

The argument i want to blacklist is "msg" (as you can imagine it s the content of a message posted by a user, so it may contains much false positive due to smileys, html codes etc...)

Below some rules i actually put in my exception file file:
SecRule REQUEST_FILENAME " @streq /" "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=*;ARGS:msg"
(not working, arg msg still filtered)

or
SecRule REQUEST_FILENAME "@streq /" "phase:1,t:none,nolog,pass,ctl:ruleRemoveById=000000-999999;ARGS:msg"
(doesn't work)

SecRuleUpdateTargetById * "!ARGS:msg"
(not working)

SecRuleRemoveByMsg .*SQL.* "ARGS:msg"
(this one works but has the side effect of removing SQL detection for all the pages)

So as you understood i need to fully whitelist an argument and i can't, any help would be really appreciated.
For your information i can't whitelist the Location as it is an index.php file with much functions in the backend.

Thanks in advance.