mod_security false alarm

If get some pages in joomla 1.5 CMS on remoteshaman.com site mod_security false alarm as test mode "SecRuleEngine DetectionOnly":

--82e83c6c-A--
[05/Feb/2013:06:39:06 +0400] URBwyl2qgHIAADehGLYAAAAA 109.95.47.222 41573 127.0.
0.1 81
--82e83c6c-B--
GET /index.php?option=com_content&view=article&id=139:bezvozvratnoe-udaleniezati
ranieunichtozhenie-fajlovkatalogov-dannyxinformaczii-iz-konsoli&catid=1:defence&
Itemid=65 HTTP/1.0
Host: remoteshaman.com
X-Real-IP: 109.95.47.222
Connection: close
User-Agent: Opera/9.80 (Windows NT 5.1; U; ru) Presto/2.10.229 Version/11.64
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, imag
e/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1
Accept-Language: ru-RU,ru;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://remoteshaman.com/
Cookie: c95b573d4ece60267eebe4909c7dcf18=52+B+3+E4A11+95B5B11444A+04259585857415
F15595551+F11+7+65A5A+C5B4045435545+D41415A40+B+15F124758464114+B14+7465946+9575
1+D112D686B7B77611C5B+0531446431B5E4D; jc_homepage=; 1fd4e15a49b554fa07c1f5692db
f224e=1; currentURI=http%3A%2F%2Fremoteshaman.com%2Findex.php%3Foption%3Dcom_com
munity%26view%3Dvideos%26Itemid%3D59; 102d16838e890126ac58488e19aaad2d=h6bt6hg3u
td65k30n25u37i1k1; activeProfile=64; b=b
Cache-Control: no-cache

--82e83c6c-F--
HTTP/1.1 200 OK
X-Powered-By: PHP/5.3.21
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Tue, 05 Feb 2013 02:39:06 GMT
Connection: close
Content-Type: text/html; charset=utf-8

--82e83c6c-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql
_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
 [data "Matched Data: - found within ARGS:id: 139:bezvozvratnoe-udaleniezatirani
eunichtozhenie-fajlovkatalogov-dannyxinformaczii-iz-konsoli"] [ver "OWASP_CRS/2.
2.6"] [maturity "9"] [accuracy "8"] Warning. Pattern match "([\\~\\!\\@\\#\\$\\%
\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\\\xc2\xb4\\\xe2\x80\x99\\\xe2
\x80\x98\\`\\<\\>].*?){4,}" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_cor
relation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inb
ound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert -
 Total # of special characters exceeded"] Warning. Operator LT matched 5 at TX:i
nbound_anomaly_score.
Apache-Handler: fcgid-script
Stopwatch: 1360031946334718 414785 (- - -)
Stopwatch2: 1360031946334718 414785; combined=13942, p1=666, p2=13121, p3=0, p4=
0, p5=155, sr=92, sw=0, l=0, gc=0
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--82e83c6c-Z--

--36a9ea69-A--
[05/Feb/2013:06:39:12 +0400] URBw0F2qgHIAADejHWgAAAAC 66.249.75.136 57737 93.170
.128.114 443
--36a9ea69-B--
GET /pt/index.php?option=com_content&view=article&id=129%3Aobnaruzhen-novyj-gene
rator-virusov-diy&Itemid=118 HTTP/1.1
Host: remotehelp.pp.ua
Connection: Keep-alive
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h
tml)
Accept-Encoding: gzip,deflate

--36a9ea69-F--
HTTP/1.1 301 Moved Permanently
Location: http://remoteshaman.com/pt/index.php?option=com_content&view=article&i
d=129%253Aobnaruzhen-novyj-generator-virusov-diy&Itemid=118
Content-Length: 416
Connection: close
Content-Type: text/html; charset=iso-8859-1

--36a9ea69-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="http://remoteshaman.com/pt/index.php?option=c
om_content&amp;view=article&amp;id=129%253Aobnaruzhen-novyj-generator-virusov-di
y&amp;Itemid=118">here</a>.</p>
<hr>
<address>Apache Server at remotehelp.pp.ua Port 443</address>
</body></html>

--36a9ea69-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql
_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
 [data "Matched Data: - found within ARGS:id: 129:obnaruzhen-novyj-generator-vir
usov-diy"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Patter
n match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\
\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_cor
relation.conf"] [line "33"] [id "981203"] [msg "Inbound Anomaly Score (Total Inb
ound Score: 3, SQLi=1, XSS=): Restricted SQL Character Anomaly Detection Alert -
 Total # of special characters exceeded"] Warning. Operator LT matched 5 at TX:i
nbound_anomaly_score.
Stopwatch: 1360031952686859 35016 (- - -)
Stopwatch2: 1360031952686859 35016; combined=3711, p1=185, p2=3149, p3=0, p4=314
, p5=63, sr=74, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--36a9ea69-Z--

--6825be5e-A--
[05/Feb/2013:06:39:13 +0400] URBw0V2qgHIAADeiG@gAAAAB 66.249.78.24 41653 127.0.0
.1 81
--6825be5e-B--
GET /pt/index.php?option=com_content&view=article&id=129%253Aobnaruzhen-novyj-ge
nerator-virusov-diy&Itemid=118 HTTP/1.0
Host: remoteshaman.com
X-Real-IP: 66.249.78.24
Connection: close
Accept: */*
From: googlebot(at)googlebot.com
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.h
tml)
Accept-Encoding: gzip,deflate

--6825be5e-F--
HTTP/1.1 404 Not Found
Content-Length: 276
Connection: close
Content-Type: text/html; charset=iso-8859-1

--6825be5e-E--
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /pt/index.php was not found on this server.</p>
<hr>
<address>Apache Server at remoteshaman.com Port 80</address>
</body></html>

--6825be5e-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_20_pro
tocol_violations.conf"] [line "464"] [id "950109"] [rev "2"] [msg "Multiple URL
Encoding Detected"] [severity "WARNING"] [ver "OWASP_CRS/2.2.6"] [maturity "6"]
[accuracy "8"] [tag "OWASP_CRS/PROTOCOL_VIOLATION/EVASION"] Warning. Pattern mat
ch "\\%((?!$|\\W)|[0-9a-fA-F]{2}|u[0-9a-fA-F]{4})" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_41_sql
_injection_attacks.conf"] [line "170"] [id "981173"] [rev "2"] [msg "Restricted
SQL Character Anomaly Detection Alert - Total # of special characters exceeded"]
 [data "Matched Data: - found within ARGS:id: 129:obnaruzhen-novyj-generator-vir
usov-diy"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "8"] Warning. Patter
n match "([\\~\\!\\@\\#\\$\\%\\^\\&\\*\\(\\)\\-\\+\\=\\{\\}\\[\\]\\|\\:\\;\"\\'\
\\xc2\xb4\\\xe2\x80\x99\\\xe2\x80\x98\\`\\<\\>].*?){4,}" at ARGS:id.
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_60_cor
relation.conf"] [line "37"] [id "981204"] [msg "Inbound Anomaly Score Exceeded (
Total Inbound Score: 6, SQLi=1, XSS=): Restricted SQL Character Anomaly Detectio
n Alert - Total # of special characters exceeded"] Warning. Operator GE matched
5 at TX:inbound_anomaly_score.
Apache-Error: [file "/builddir/build/BUILD/httpd-2.2.23/server/core.c"] [line 37
08] [level 3] File does not exist: /var/www/wrs/public_html/pt
Stopwatch: 1360031953049913 8777 (- - -)
Stopwatch2: 1360031953049913 8777; combined=7021, p1=95, p2=6668, p3=0, p4=200,
p5=58, sr=28, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "DETECTION_ONLY"

--6825be5e-Z--

almost all requests to the site pages mod_setsurity mistaken as an attack;((

where is ([data "Matched Data: ;id found within ARGS_NAMES:amp;id: amp;id"]) the "System Command Injection"?;(

--ad06f25a-A--
[06/Feb/2013:14:33:32 +0400] URIxfF2qgHIAAGEldGQAAAAB 195.66.197.148 40963 127.0
.0.1 81
--ad06f25a-B--
GET /index.php?option=com_content&amp;view=article&amp;id=67%3Austanovka-pear-na
-php-54-pod-windows&amp;Itemid=66 HTTP/1.0
Host: remotehelp.pp.ua
X-Real-IP: 195.68.197.148
Connection: close
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:18.0) Gecko/20100101 Firefo
x/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate

--ad06f25a-F--
HTTP/1.1 403 Forbidden
Content-Length: 277
Connection: close
Content-Type: text/html; charset=iso-8859-1

--ad06f25a-E--

--ad06f25a-H--
Message:  [file "/etc/httpd/modsecurity.d/activated_rules/modsecurity_crs_40_gen
eric_attacks.conf"] [line "209"] [id "950006"] [rev "2"] [msg "System Command In
jection"] [data "Matched Data: ;id found within ARGS_NAMES:amp;id: amp;id"] [sev
erity "CRITICAL"] [ver "OWASP_CRS/2.2.6"] [maturity "9"] [accuracy "9"] [tag "OW
ASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10
/A1"] [tag "PCI/6.5.2"] Access denied with code 403 (phase 2). Pattern match "(?
:\\b(?:(?:n(?:et(?:\\b\\W+?\\blocalgroup|\\.exe)|(?:map|c)\\.exe)|t(?:racer(?:ou
te|t)|elnet\\.exe|clsh8?|ftp)|(?:w(?:guest|sh)|rcmd|ftp)\\.exe|echo\\b\\W*?\\by+
)\\b|c(?:md(?:(?:\\.exe|32)\\b|\\b\\W*?\\/c)|d(?:\\b\\W*?[\\/]|\\W*?\\.\\.)|hmod
.{0,40}?\\ ..." at ARGS_NAMES:amp;id.
Action: Intercepted (phase 2)
Apache-Handler: php5-fcgi
Stopwatch: 1360146812114807 1305 (- - -)
Stopwatch2: 1360146812114807 1305; combined=600, p1=186, p2=396, p3=0, p4=0, p5=
18, sr=56, sw=0, l=0, gc=0
Response-Body-Transformed: Dechunked
WAF: ModSecurity for Apache/2.7.2 (http://www.modsecurity.org/); OWASP_CRS/2.2.6
.
Server: Apache
Engine-Mode: "ENABLED"

--ad06f25a-Z--

SpiderLabs / owasp-modsecurity-crs

mod_security false alarm #12