Of course it has been blocked by mod_security.
"--" is usually the beginning flag of a line comment in SQL. Sometimes programmers use user input (like $_GET[] array) directly to build a SQL query, which leads to a vulnerability called SQL Injection.
So mod_security will check such string in cookies, querystring and posted form. Once illegal string found, it will display a 403 Forbidden error.
If you do need "--" in your querystring and you are sure that you have handle querystring properly (or you don't actually execute SQL queries) you can remove this rule from mod_security.
You may find the rule in
MOD_SRCURITY_INSTALLATION_PATH/base_rules/modsecurity_crs_41_sql_injection_attacks.conf
MOD_SRCURITY_INSTALLATION_PATH depends on your server environment.
You may find such rules near
#
# -=[ Detect SQL Comment Sequences ]=-
#
and
#
# -=[ PHPIDS - Converted SQLI Filters ]=-
#
# https://dev.itratos.de/projects/php-ids/repository/raw/trunk/lib/IDS/default_filter.xml
#
Search rules that contain string --
and modify them.
Since they are all written in RegExp you should learn it first.