Retag 2.1.2 with some doc changes.

CHANGES

@@ -1,6 +1,8 @@
 27 July 2007 - 2.1.2
 --------------------
 
+ * Cleaned up and clarified some documentation.
+
  * Update included core rules to latest version (1.4.3).
 
  * Enhanced ability to alert/audit failed requests.

doc/modsecurity2-apache-reference.xml

@@ -16,15 +16,15 @@
   <section id="01-introduction">
     <title>Introduction</title>
 
-    <para><trademark class="trade">ModSecurity</trademark>is a web application
+    <para><trademark class="trade">ModSecurity</trademark> is a web
-    firewall (WAF). With over 70% of all attacks now carried out over the web
+    application firewall (WAF). With over 70% of all attacks now carried out
-    application level, organisations need every help they can get in making
+    over the web application level, organisations need every help they can get
-    their systems secure. WAFs are deployed to establish an external security
+    in making their systems secure. WAFs are deployed to establish an external
-    layer that increases security, detects, and prevents attacks before they
+    security layer that increases security, detects, and prevents attacks
-    reach web applications. It provides protection from a range of attacks
+    before they reach web applications. It provides protection from a range of
-    against web applications and allows for HTTP traffic monitoring and
+    attacks against web applications and allows for HTTP traffic monitoring
-    real-time analysis with little or no changes to existing
+    and real-time analysis with little or no changes to existing
-    infrastructure._err</para>
+    infrastructure.</para>
 
     <section>
       <title>HTTP Traffic Logging</title>
@@ -197,8 +197,8 @@
       which are in most cases custom coded. The Core Rules are heavily
       commented to allow it to be used as a step-by-step deployment guide for
       ModSecurity. The latest Core Rules can be found at the ModSecurity
-      website - <link
+      website - <ulink
-      linkend="http://www.modsecurity.org/projects/rules/">http://www.modsecurity.org/projects/rules/</link>.</para>
+      url="http://www.modsecurity.org/projects/rules/">http://www.modsecurity.org/projects/rules/</ulink>.</para>
     </section>
 
     <section>
@@ -297,8 +297,8 @@
       </listitem>
 
       <listitem>
-        <para>(Optional) Install the latest version of libxml2, if it isn't
+        <para>Install the latest version of libxml2, if it isn't already
-        already installed on the server.</para>
+        installed on the server.</para>
       </listitem>
 
       <listitem>
@@ -315,10 +315,8 @@
       </listitem>
 
       <listitem>
-        <para>(Optional) Edit Makefile to enable ModSecurity to use libxml2
+        <para>Edit Makefile to configure the correct include path for libxml
-        (uncomment line<literal moreinfo="none"> DEFS =
+        (for example: <filename
-        -DWITH_LIBXML2</literal>) and configure the include path (for example:
-        <filename
         moreinfo="none">INCLUDES=-I/usr/include/libxml2</filename>)</para>
       </listitem>
 
@@ -435,11 +433,9 @@
       moreinfo="none">SecAction
       nolog,redirect:http://www.hostname.com</literal></para>
 
-      <para><emphasis role="bold"> <emphasis
+      <para><emphasis role="bold">ProcessingPhase:</emphasis> Any</para>
-      role="bold">ProcessingPhase:</emphasis> </emphasis>Any</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
 
@@ -494,8 +490,7 @@
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> Can be
       set/changed with the "ctl" action for the current transaction.</para>
@@ -503,8 +498,8 @@
       <para>Example: The following example shows the various audit directives
       used together.</para>
 
-      <programlisting format="linespecific"><emphasis role="bold">SecAuditEngine RelevantOnly
+      <programlisting format="linespecific"><emphasis role="bold">SecAuditEngine RelevantOnly</emphasis> 
-</emphasis>SecAuditLog logs/audit/audit.log
+SecAuditLog logs/audit/audit.log
 SecAuditLogParts ABCFHZ
 SecAuditLogType concurrent
 SecAuditLogStorageDir logs/audit
@@ -547,8 +542,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> This file is
       open on startup when the server typically still runs as<emphasis>
@@ -584,8 +578,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> A main audit
       log must be defined via <literal moreinfo="none">SecAuditLog</literal>
@@ -624,16 +617,17 @@ SecAuditLogStorageDir logs/audit
 
       <itemizedlist>
         <listitem>
-          <para><literal moreinfo="none">A</literal> – audit log header
+          <para><literal moreinfo="none">A</literal> – audit log header
           (mandatory)</para>
         </listitem>
 
         <listitem>
-          <para><literal moreinfo="none">B</literal> – request headers</para>
+          <para><literal moreinfo="none">B</literal> – request
+          headers</para>
         </listitem>
 
         <listitem>
-          <para><literal moreinfo="none">C</literal> – request body (present
+          <para><literal moreinfo="none">C</literal> – request body (present
           only if the request body exists and ModSecurity is configured to
           intercept it)</para>
         </listitem>
@@ -644,7 +638,7 @@ SecAuditLogStorageDir logs/audit
         </listitem>
 
         <listitem>
-          <para><literal moreinfo="none">E</literal> – intermediary response
+          <para><literal moreinfo="none">E</literal> – intermediary response
           body (present only if ModSecurity is configured to intercept
           response bodies, and if the audit log engine is configured to record
           it). Intermediary response body is the same as the actual response
@@ -655,14 +649,14 @@ SecAuditLogStorageDir logs/audit
         </listitem>
 
         <listitem>
-          <para><literal moreinfo="none">F</literal> – final response headers
+          <para><literal moreinfo="none">F</literal> – final response
-          (excluding the Date and Server headers, which are always added by
+          headers (excluding the Date and Server headers, which are always
-          Apache in the late stage of content delivery).</para>
+          added by Apache in the late stage of content delivery).</para>
         </listitem>
 
         <listitem>
-          <para><literal moreinfo="none">G</literal> – RESERVED for the actual
+          <para><literal moreinfo="none">G</literal> – RESERVED for the
-          response body, not implemented yet.</para>
+          actual response body, not implemented yet.</para>
         </listitem>
 
         <listitem>
@@ -673,13 +667,12 @@ SecAuditLogStorageDir logs/audit
         <listitem>
           <para><literal moreinfo="none">I</literal> - This part is a
           replacement for part C. It will log the same data as C in all cases
-          except when<literal
+          except when<literal moreinfo="none">multipart/form-data</literal>
-          moreinfo="none">multipart/form-data</literal>encoding in used. In
+          encoding in used. In this case it will log a fake <literal
-          this case it will log a fake<literal moreinfo="none">
+          moreinfo="none"> application/x-www-form-urlencoded</literal> body
-          application/x-www-form-urlencoded</literal> body that contains the
+          that contains the information about parameters but not about the
-          information about parameters but not about the files. This is handy
+          files. This is handy if you don't want to have (often large) files
-          if you don't want to have (often large) files stored in your audit
+          stored in your audit logs.</para>
-          logs.</para>
         </listitem>
 
         <listitem>
@@ -689,7 +682,7 @@ SecAuditLogStorageDir logs/audit
         </listitem>
 
         <listitem>
-          <para><literal moreinfo="none">Z</literal> – final boundary,
+          <para><literal moreinfo="none">Z</literal> – final boundary,
           signifies the end of the entry (mandatory)</para>
         </listitem>
       </itemizedlist>
@@ -710,8 +703,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> Must have the
       SecAuditEngine set to RelevantOnly. The parameter is a regular
@@ -742,8 +734,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis>
       SecAuditLogType must be set to Concurrent. The directory must already be
@@ -769,8 +760,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> Must specify
       SecAuditLogStorageDir if you use concurrent logging.</para>
@@ -808,8 +798,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Main</para>
-      </emphasis>Main</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> The internal
       chroot functionality provided by ModSecurity works great for simple
@@ -841,8 +830,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
 
@@ -900,8 +888,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
     </section>
@@ -920,17 +907,15 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> Levels
-      <literal moreinfo="none">1</literal>-<literal moreinfo="none">3
+      <literal moreinfo="none">1 - 3</literal> are always sent to the Apache
-      </literal>are always sent to the Apache error log. Therefore you can
+      error log. Therefore you can always use level <literal
-      always use level<literal moreinfo="none"> 0 </literal>as the default
+      moreinfo="none">0</literal> as the default logging level in production.
-      logging level in production. Level<literal moreinfo="none"> 5
+      Level <literal moreinfo="none">5</literal> is useful when debugging. It
-      </literal>is useful when debugging. It is not advisable to use higher
+      is not advisable to use higher logging levels in production as excessive
-      logging levels in production as excessive logging can slow down server
+      logging can slow down server significantly.</para>
-      significantly.</para>
 
       <para>Possible values are:</para>
 
@@ -985,8 +970,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> Rules
       following a SecDefaultAction directive will inherit this setting unless
@@ -1019,8 +1003,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Main</para>
-      </emphasis>Main</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> By default
       httpd-guardian will defend against clients that send more 120 requests
@@ -1035,17 +1018,16 @@ SecAuditLogStorageDir logs/audit
 
       <para>Development of a state of the art external protection tool will be
       a focus of subsequent ModSecurity releases. However, a fully functional
-      tool is already available as part of the Apache httpd tools project
+      tool is already available as part of the <ulink type=""
-      (<link
+      url="http://www.apachesecurity.net/tools/">Apache httpd tools
-      linkend="http://www.apachesecurity.net/tools/">http://www.apachesecurity.net/tools/</link>).
+      project</ulink>. The tool is called httpd-guardian and can be used to
-      The tool is called httpd-guardian and can be used to defend against
+      defend against Denial of Service attacks. It uses the blacklist tool
-      Denial of Service attacks. It uses the blacklist tool (from the same
+      (from the same project) to interact with an iptables-based (Linux) or
-      project) to interact with an iptables-based (Linux) or pf-based (*BSD)
+      pf-based (*BSD) firewall, dynamically blacklisting the offending IP
-      firewall, dynamically blacklisting the offending IP addresses. It can
+      addresses. It can also interact with SnortSam (http://www.snortsam.net).
-      also interact with SnortSam (http://www.snortsam.net). Assuming
+      Assuming httpd-guardian is already configured (look into the source code
-      httpd-guardian is already configured (look into the source code for the
+      for the detailed instructions) you only need to add one line to your
-      detailed instructions) you only need to add one line to your Apache
+      Apache configuration to deploy it:</para>
-      configuration to deploy it:</para>
 
       <programlisting format="linespecific">SecGuardianLog |/path/to/httpd-guardian</programlisting>
     </section>
@@ -1065,8 +1047,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> This
       directive is required if you plan to inspect POST_PAYLOADS of requests.
@@ -1104,8 +1085,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> 131072 KB
       (134217728 bytes) is the default setting. Anything over this limit will
@@ -1128,8 +1108,7 @@ SecAuditLogStorageDir logs/audit
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
 
@@ -1153,8 +1132,7 @@ SecRequestBodyInMemoryLimit 131072</programlisting>
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> Anything over
       this limit will be rejected with status code 500 Internal Server Error.
@@ -1183,8 +1161,7 @@ SecResponseBodyLimit 524288</programlisting>
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis>
       Multiple<literal moreinfo="none"> SecResponseBodyMimeType</literal>
@@ -1213,8 +1190,7 @@ SecResponseBodyLimit 524288</programlisting>
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
     </section>
@@ -1233,8 +1209,7 @@ SecResponseBodyLimit 524288</programlisting>
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> This
       directive is required if you plan to inspect html responses. This
@@ -1272,8 +1247,7 @@ SecResponseBodyLimit 524288</programlisting>
 
       <para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
 
@@ -1321,8 +1295,8 @@ SecResponseBodyLimit 524288</programlisting>
 
         <para>In the simplest possible case you will use a regular expression
         pattern as the second rule parameter. This is what we've done in the
-        examples above. If you do this ModSecurity assumes you want to use
+        examples above. If you do this ModSecurity assumes you want to use the
-        the<literal moreinfo="none"> rx </literal>operator. You can explicitly
+        <literal moreinfo="none">rx</literal> operator. You can explicitly
         specify the operator you want to use by using <literal
         moreinfo="none">@</literal> as the first character in the second rule
         parameter:</para>
@@ -1372,8 +1346,7 @@ SecResponseBodyLimit 524288</programlisting>
 
       <para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis>
       Resource-specific contexts (e.g.<literal moreinfo="none">
@@ -1405,8 +1378,7 @@ SecDefaultAction log,deny,phase:1,redirect:http://www.site2.com
 &lt;VirtualHost *:80&gt; 
 ServerName app2.com 
 ServerAlias www.app2.com
-<emphasis role="bold">SecRuleInheritance On
+<emphasis role="bold">SecRuleInheritance On</emphasis> SecRule ARGS "attack" 
-</emphasis>SecRule ARGS "attack" 
 ... 
 &lt;/VirtualHost&gt;</programlisting>
 
@@ -1439,8 +1411,7 @@ ServerAlias www.app2.com
 
       <para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> Thisdirective
       can also be controled by the ctl action (ctl:ruleEngine=off) for per
@@ -1480,8 +1451,7 @@ ServerAlias www.app2.com
 
       <para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> This
       directive supports multiple parameters, where each parameter can either
@@ -1505,8 +1475,7 @@ ServerAlias www.app2.com
 
       <para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> This
       directive supports multiple parameters. Each parameter is a regular
@@ -1531,8 +1500,7 @@ ServerAlias www.app2.com
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Main</para>
-      </emphasis>Main</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> In order for
       this directive to work, you must set the Apache ServerTokens directive
@@ -1556,8 +1524,7 @@ ServerAlias www.app2.com
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> Needs to be
       writable by the Apache user process. This is the directory location
@@ -1580,8 +1547,7 @@ ServerAlias www.app2.com
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> This
       directory must be on the same filesystem as the temporary directory
@@ -1604,8 +1570,7 @@ ServerAlias www.app2.com
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> This
       directive requires the storage directory to be defined (using <literal
@@ -1646,8 +1611,7 @@ ServerAlias www.app2.com
 
       <para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
 
-      <para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
+      <para><emphasis role="bold">Scope:</emphasis> Any</para>
-      </emphasis>Any</para>
 
       <para><emphasis role="bold">Dependencies/Notes:</emphasis> Partitions
       are used to avoid collisions between session IDs and user IDs. This
@@ -1744,7 +1708,7 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
 
     <programlisting format="linespecific">SecDefaultAction "log,pass,<emphasis
         role="bold">phase:2</emphasis>"
-SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</programlisting>
+SecRule REQUEST_HEADERS:Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</programlisting>
 
     <para><emphasis role="bold">Note on Rule and Phases</emphasis></para>
 
@@ -1794,7 +1758,7 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
         </listitem>
 
         <listitem>
-          <para>multipart/form-data – used for file transfers</para>
+          <para>multipart/form-data – used for file transfers</para>
         </listitem>
 
         <listitem>
@@ -1816,8 +1780,8 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
       not be able to be triggered as expected. Additionally, there are some
       response headers that are added by Apache at a later hook (such as Date,
       Server and Connection) that we would not be able to trigger on or
-      sanitize. This should work appropirately in a proxy setup
+      sanitize. This should work appropirately in a proxy setup or within
-      however.</para>
+      phase:5 (logging).</para>
     </section>
 
     <section>
@@ -1836,8 +1800,9 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
       <para>This phase is run just before logging takes place. The rules
       placed into this phase can only affect how the logging is performed.
       This phase can be used to inspect the error messages logged by Apache.
-      You can not deny/block connections in this phase as it is too
+      You can not deny/block connections in this phase as it is too late. This
-      late.</para>
+      phase also allows for inspection of other response headers that weren't
+      available during phase:3 or phase:4.</para>
     </section>
   </section>
 
@@ -1857,23 +1822,23 @@ SecRule HTTP_Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis>"</program
       invocations against the operator if argument p does not exist. Some
       variables are actually collections, which are expanded into more
       variables at runtime. The following example will examine all request
-      arguments:<programlisting format="linespecific">SecRule ARGS dirty</programlisting>Sometimes,
+      arguments:<programlisting format="linespecific">SecRule ARGS dirty</programlisting>
-      however, you will want to look only at parts of a collection. This can
+      Sometimes, however, you will want to look only at parts of a collection.
-      be achieved with the help of the <emphasis>selection
+      This can be achieved with the help of the <emphasis>selection
       operator</emphasis>(colon). The following example will only look at the
       arguments named<literal moreinfo="none"> p</literal> (do note that, in
       general, requests can contain multiple arguments with the same name):
-      <programlisting format="linespecific">SecRule ARGS:p dirty</programlisting>It
+      <programlisting format="linespecific">SecRule ARGS:p dirty</programlisting>
-      is also possible to specify exclusions. The following will examine all
+      It is also possible to specify exclusions. The following will examine
-      request arguments for the word<emphasis> dirty</emphasis>, except the
+      all request arguments for the word<emphasis> dirty</emphasis>, except
-      ones named<literal moreinfo="none"> z </literal>(again, there can be
+      the ones named <literal moreinfo="none">z</literal> (again, there can be
       zero or more arguments named<literal moreinfo="none"> z</literal>):
-      <programlisting format="linespecific">SecRule ARGS|!ARGS:z dirty</programlisting>There
+      <programlisting format="linespecific">SecRule ARGS|!ARGS:z dirty</programlisting>
-      is a special operator that allows you to count how many variables there
+      There is a special operator that allows you to count how many variables
-      are in a collection. The following rule will trigger if there is more
+      there are in a collection. The following rule will trigger if there is
-      than zero arguments in the request (ignore the second parameter for the
+      more than zero arguments in the request (ignore the second parameter for
-      time being): <programlisting format="linespecific">SecRule &amp;ARGS !^0$</programlisting>And
+      the time being): <programlisting format="linespecific">SecRule &amp;ARGS !^0$</programlisting>
-      sometimes you need to look at an array of parameters, each with a
+      And sometimes you need to look at an array of parameters, each with a
       slightly different name. In this case you can specify a regular
       expression in the selection operator itself. The following rule will
       look into all arguments whose names begin with <literal
@@ -2021,7 +1986,8 @@ SecRule <emphasis role="bold">ENV:tag</emphasis> "suspicious"</programlisting>
       <title><literal moreinfo="none">QUERY_STRING</literal></title>
 
       <para>This variable holds form data passed to the script/handler by
-      appending data after a question mark. Example:</para>
+      appending data after a question mark. Warning: Not URL-decoded.
+      Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">QUERY_STRING</emphasis> "attack"</programlisting>
     </section>
@@ -2173,8 +2139,7 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
       <title><literal moreinfo="none">REQUEST_FILENAME</literal></title>
 
       <para>This variable holds the relative REQUEST_URI minus the
-      QUERY_STRING part (e.g. /index.php). Warning: not urlDecoded.
+      QUERY_STRING part (e.g. /index.php). Example:</para>
-      Example:</para>
 
       <programlisting format="linespecific">SecRule <emphasis role="bold">REQUEST_FILENAME</emphasis> "^/cgi-bin/login\.php$"</programlisting>
     </section>
@@ -2300,10 +2265,10 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"</programlisting>
       <para><emphasis role="bold">Note</emphasis></para>
 
       <para>This variable may not have access to some headers when running in
-      embedded-mode. Headers such as Server, Date and Connection are added
+      embedded-mode. Headers such as Server, Date, Connection and Content-Type
-      during a later Apache hook just prior to sending the data to the client.
+      are added during a later Apache hook just prior to sending the data to
-      This data should be available, however, when running in
+      the client. This data should be available, however, either during
-      proxy-mode.</para>
+      ModSecurity phase:5 (logging) or when running in proxy-mode.</para>
     </section>
 
     <section>
@@ -2660,6 +2625,72 @@ SecRule REQBODY_PROCESSOR "<emphasis role="bold">!^XML$</emphasis>" skip:2
 SecRule <emphasis role="bold">XML:/employees/employee/name/text()</emphasis> Fred
 SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis> Fred \
     xmlns:xq=http://www.example.com/employees</programlisting>
+
+      <para>The first XPath expression does not use namespaces. It would match
+      against payload such as this one:</para>
+
+      <programlisting>&lt;employees&gt;
+    &lt;employee&gt;
+        &lt;name&gt;Fred Jones&lt;/name&gt;
+        &lt;address location="home"&gt;
+            &lt;street&gt;900 Aurora Ave.&lt;/street&gt;
+            &lt;city&gt;Seattle&lt;/city&gt;
+            &lt;state&gt;WA&lt;/state&gt;
+            &lt;zip&gt;98115&lt;/zip&gt;
+        &lt;/address&gt;
+        &lt;address location="work"&gt;
+            &lt;street&gt;2011 152nd Avenue NE&lt;/street&gt;
+            &lt;city&gt;Redmond&lt;/city&gt;
+            &lt;state&gt;WA&lt;/state&gt;
+            &lt;zip&gt;98052&lt;/zip&gt;
+        &lt;/address&gt;
+        &lt;phone location="work"&gt;(425)555-5665&lt;/phone&gt;
+        &lt;phone location="home"&gt;(206)555-5555&lt;/phone&gt;
+        &lt;phone location="mobile"&gt;(206)555-4321&lt;/phone&gt;
+    &lt;/employee&gt;
+&lt;/employees&gt;</programlisting>
+
+      <para>The second XPath expression does use namespaces. It would match
+      the following payload:</para>
+
+      <programlisting>&lt;xq:employees xmlns:xq="http://www.example.com/employees"&gt;
+    &lt;employee&gt;
+        &lt;name&gt;Fred Jones&lt;/name&gt;
+        &lt;address location="home"&gt;
+            &lt;street&gt;900 Aurora Ave.&lt;/street&gt;
+            &lt;city&gt;Seattle&lt;/city&gt;
+            &lt;state&gt;WA&lt;/state&gt;
+            &lt;zip&gt;98115&lt;/zip&gt;
+        &lt;/address&gt;
+        &lt;address location="work"&gt;
+            &lt;street&gt;2011 152nd Avenue NE&lt;/street&gt;
+            &lt;city&gt;Redmond&lt;/city&gt;
+            &lt;state&gt;WA&lt;/state&gt;
+            &lt;zip&gt;98052&lt;/zip&gt;
+        &lt;/address&gt;
+        &lt;phone location="work"&gt;(425)555-5665&lt;/phone&gt;
+        &lt;phone location="home"&gt;(206)555-5555&lt;/phone&gt;
+        &lt;phone location="mobile"&gt;(206)555-4321&lt;/phone&gt;
+    &lt;/employee&gt;
+&lt;/xq:employees&gt;</programlisting>
+
+      <para>Note the different namespace used in the second example.</para>
+
+      <para>To learn more about XPath we suggest the following
+      resources:</para>
+
+      <orderedlist>
+        <listitem>
+          <para><ulink url="http://www.w3.org/TR/xpath">XPath
+          Standard</ulink></para>
+        </listitem>
+
+        <listitem>
+          <para><ulink
+          url="http://www.zvon.org/xxl/XPathTutorial/General/examples.html">XPath
+          Tutorial</ulink></para>
+        </listitem>
+      </orderedlist>
     </section>
   </section>
 
@@ -2774,7 +2805,7 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
         </listitem>
 
         <listitem>
-          <para><literal moreinfo="none">&amp;nbs</literal>p and <literal
+          <para><literal moreinfo="none">&amp;nbsp</literal> and <literal
           moreinfo="none">&amp;nbsp;</literal></para>
         </listitem>
 
@@ -2873,9 +2904,11 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
       <title><literal>urlDecodeUni</literal></title>
 
       <para>In addition to decoding %xx like <literal
-      moreinfo="none">urlDecode, urlDecodeUni also </literal>decodes<literal
+      moreinfo="none">urlDecode, urlDecodeUni</literal> also decodes <literal
-      moreinfo="none"> <literal>%uXXXX</literal> </literal>encoding (only the
+      moreinfo="none">%uXXXX</literal> encoding. If the code is in the range
-      lower byte will be used, the higher byte will be discarded).</para>
+      of FF01-FF5E (the full width ASCII codes), then the higher byte is used
+      to detect and adjust the lower byte. Otherwise, only the lower byte will
+      be used and the higher byte zeroed.</para>
     </section>
 
     <section>
@@ -2898,18 +2931,18 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
 
     <orderedlist continuation="restarts" inheritnum="ignore">
       <listitem>
-        <para><emphasis>Disruptive actions</emphasis>- are those actions where
+        <para><emphasis>Disruptive actions</emphasis> - are those actions
-        ModSecurity will intercept the data. They can only appear in the first
+        where ModSecurity will intercept the data. They can only appear in the
-        rule in a chain.</para>
+        first rule in a chain.</para>
       </listitem>
 
       <listitem>
-        <para><emphasis>Non-disruptive actions</emphasis>; can appear
+        <para><emphasis>Non-disruptive actions</emphasis> - can appear
         anywhere.</para>
       </listitem>
 
       <listitem>
-        <para><emphasis>Flow actions</emphasis>; can appear only in the first
+        <para><emphasis>Flow actions</emphasis> - can appear only in the first
         rule in a chain.</para>
       </listitem>
 
@@ -2917,7 +2950,7 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
         <para><emphasis>Meta-data actions</emphasis>(<literal
         moreinfo="none">id</literal>,<literal moreinfo="none">
         rev</literal>,<literal moreinfo="none"> severity</literal>,<literal
-        moreinfo="none"> msg</literal>); can only appear in the first rule in
+        moreinfo="none"> msg</literal>) - can only appear in the first rule in
         a chain.</para>
       </listitem>
 
@@ -3243,27 +3276,48 @@ SecRule REQUEST_URI "^/cgi-bin/script\.pl" \
 
       <itemizedlist>
         <listitem>
-          <para>1 – 99999; reserved for your internal needs, use as you see
+          <para>1 – 99,999; reserved for local (internal) use. Use as you
-          fit but don't publish them to others</para>
+          see fit but do not use this range for rules that are distributed to
+          others.</para>
         </listitem>
 
         <listitem>
           <para>100,000-199,999; reserved for internal use of the engine, to
-          assign to rules that do not have explicit IDs</para>
+          assign to rules that do not have explicit IDs.</para>
         </listitem>
 
         <listitem>
           <para>200,000-299,999; reserved for rules published at
-          modsecurity.org</para>
+          modsecurity.org.</para>
         </listitem>
 
         <listitem>
           <para>300,000-399,999; reserved for rules published at
-          gotroot.com</para>
+          gotroot.com.</para>
         </listitem>
 
         <listitem>
-          <para>400,000 and above; unreserved range.</para>
+          <para>400,000-419,999; unused (available for reservation).</para>
+        </listitem>
+
+        <listitem>
+          <para>420,000-429,999; reserved for <ulink type=""
+          url="http://projects.otaku42.de/wiki/ScallyWhack">ScallyWhack</ulink>.</para>
+        </listitem>
+
+        <listitem>
+          <para>430,000-899,999; unused (available for reservation).</para>
+        </listitem>
+
+        <listitem>
+          <para>900,000-999,999; reserved for the <ulink
+          url="http://www.modsecurity.org/projects/rules/">Core Rules</ulink>
+          project.</para>
+        </listitem>
+
+        <listitem>
+          <para>1,000,000 and above; unused (available for
+          reservation).</para>
         </listitem>
       </itemizedlist>
     </section>
@@ -3811,9 +3865,8 @@ SecAction <emphasis role="bold">setsid:%{REQUEST_COOKIES.PHPSESSID}</emphasis></
       <programlisting format="linespecific">setvar:!tx.score</programlisting>
 
       <para>To increase or decrease variable value use <literal
-      moreinfo="none">+</literal>and<literal
+      moreinfo="none">+</literal> and <literal moreinfo="none">-</literal>
-      moreinfo="none">-</literal>characters in front of a numerical
+      characters in front of a numerical value:</para>
-      value:</para>
 
       <programlisting format="linespecific">setvar:tx.score=+5</programlisting>
     </section>