Which OWASP v3 rules are causing false positives? https://www.modsecurity.org/crs/ Whats the paranoia level you use?
Any rules from somewhere else you find useful?
I see modsecurity commercial offering is over 16,000 rules, seems to much as it may slow site a lot. What do you think?
Imo you need to mainly address SQL injections.