From your error log they are sending a HTTP/1.1 request without the Host: portion of the request. From what I read, Apache replies with a 400 (bad request) error to this request, before handing over to mod_security. So, it doesn’t look like your rules will be processed. (Apache dealing with it before requiring to hand over to mod_security)
Try yourself:
telnet hostname 80 GET /blahblahblah.html HTTP/1.1 (enter) (enter)
You should get the 400 error and see the same error in your logs. This is a bad request and apache is giving the correct answer.
Proper request should look like:
GET /blahblahblah.html HTTP/1.1 Host: blah.com
A work around for this issue could be to patch mod_uniqueid, to generate a unique ID even for a failed request, in order that apache passes the request on to its request handlers.
The following URL is a discussion about this work around, and includes a patch for mod_uniqueid you could use:
http://marc.info/?l=mod-security-users&m=123300133603876&w=2
Couldn’t find any other solutions for it and wonder if a solution is actually required.