this sounds like a buisness logic rule - something that should be done in the server logic, not by mod_security, but anyways:
Floating point numbers in the range [0..999.9]
are numbers that
- start with an optional sequence of zeroes (you may or may not allow that)
- followed by at most three digits, first of which is not zero
- optionally followed by a dot and nothing but digits (you may require there be at least one digit the last digit to be nonzero)
- except numbers that start with
999.9
and said optional zeroes - except
999.9
itself is allowed (if the range is inclusive from the right)
the least restrictive variant, compiled into a regex:
^0*(?:(?!999\.9\d*$)\d{0,3}(?:\.\d*)?|999\.0*)$
^
- start of string (not sure if it's added by mod-security)0*
- 0-n zeroes(?:...)
- non-capturing group(?!...)
- if not followed by...999.\9
- the literal999.9
,\d*
- 0-n digits and$
- the end of string
\d
- digit{0,3}
- zero to three times(?:...)
- non-capturing group\.
- literal.
\d*
- 0-n digits
?
- optional|
- or999\.9
-999.9
itself0*
- optional zeroes
$
- the end of string