Ive been using modsecurity with your delayed ruleset to help protect my apache2 web server for some time now. Its been working great until just recently. I was thumbing through my servers web access logs and found some entries that are worrying me. My question is how can I write a new rule for modsec that will block this unauthorized access and how can I test to ensure the new rule is working. I suppose I could write a mod_rewrite rule for this if I had to, but I would much rather write a modsec rule for this. Thanks for your time.
The unauthorized access:
18.104.22.168 - - [22/Apr/2012:17:17:06 -0600] "GET http://5566.net/
HTTP/1.1" 200 9101
ModSecurity for Apache/2.6.1