2011-10-11, 01:33 PM
It *is* possible to add a rule to whitelist an IP - I did it once - but it then defeated my testing, since my rule meant everything worked for me but *only* me.
If you find that mod_security is breaking some sites, the logfiles should give you an indication of what it's blocking - it does tend to be somewhat paranoid about code, and in some ways has raised awareness of "defensive programming/secure coding" amongst plenty of developers unaware of just how exploitable their code was.
For all of my sites, I first flicked mod_security off to ensure it all worked fine without any filtering, then flicked it on and kept checking the logfiles to see what it stamped down upon. Sometimes, the changes I had to make were fairly simple (wrong permissions, owner, etc), but in other cases required upgrading web-based applications to the newer one which was mod_sec compliant.[1]
[1] a few websites give workarounds showing how to disable and/or whitelist specific modsec functionality for their apps whilst they worked upon the next version that included more robust code which wouldn't trigger modsec false positives.
It's still a learning curve, ultimately. I wouldn't get too bogged down upon what the rulesets actually are (nor about trying to write them), it is safer to check that website code (drupal, etc) works with mod_sec and investigate the reasons why not. Usually the reasons are something of concern and DO needs to be addressed.