Thanks for the information, but the rule is triggered when we or our customers simply use our CMS to save data to the database. The URL will look something like this: http://www.domainname.tld/index.php?config=edit&save=1
And unless I'm reading the rule wrong (which is highly possible),
SecRule ARGS:base "((ht|f)tps?:/|\.\./\.\.)"
This looks like it will trigger based on anything that has https or ftps in the the URL. (which by the way our customer does not).
Our CMS hasn't changed in a few years and this rule has not been triggered in the past, until just last week. That's the part that has me confused.
Thanks for the question. This is not a false positive. A rule like this is triggered by the bad guys request, not by what is or is not installed on your system. Its the attack on the server that is detected, and the bad guy is looking for a vulnerable install of MyABraCaDaWeb. If you don't have it installed then you aren't vulnerable. If you do have it installed, you are not vulnerable to this attack because the rules are protecting you.
If you want to know why it may be a good idea for you to detect attacks against applications you may not have installed, please see this blog post:https://atomicorp.com/company/blogs/231-tripwires.html