diff --git a/apache2/modsecurity.c b/apache2/modsecurity.c
index 60f71374..9ec5685d 100644
--- a/apache2/modsecurity.c
+++ b/apache2/modsecurity.c
@@ -299,7 +299,7 @@ apr_status_t modsecurity_tx_init(modsec_rec *msr) {
msr->tcache = apr_hash_make(msr->mp);
if (msr->tcache == NULL) return -1;
- msr->tx_severity = 7; /* lowest */
+ msr->highest_severity = 255; /* high, invalid value */
return 1;
}
diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h
index 745c276c..6afadc77 100644
--- a/apache2/modsecurity.h
+++ b/apache2/modsecurity.h
@@ -320,7 +320,7 @@ struct modsec_rec {
apr_time_t time_checkpoint_3;
const char *matched_var;
- int tx_severity;
+ int highest_severity;
/* upload */
int upload_extract_files;
diff --git a/apache2/re.c b/apache2/re.c
index 9f914590..e7630f4e 100644
--- a/apache2/re.c
+++ b/apache2/re.c
@@ -1254,8 +1254,9 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
msr->matched_var = apr_pstrdup(msr->mp, var->name);
/* Keep track of the highest severity matched so far */
- if (acting_actionset->severity < msr->tx_severity) {
- msr->tx_severity = acting_actionset->severity;
+ if ((acting_actionset->severity > 0) && (acting_actionset->severity < msr->highest_severity))
+ {
+ msr->highest_severity = acting_actionset->severity;
}
diff --git a/apache2/re_variables.c b/apache2/re_variables.c
index c28c57e1..70c3bb96 100644
--- a/apache2/re_variables.c
+++ b/apache2/re_variables.c
@@ -734,14 +734,6 @@ static int var_tx_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
return count;
}
-/* TX_SEVERITY */
-
-static int var_tx_severity_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
- apr_table_t *vartab, apr_pool_t *mptmp)
-{
- return var_simple_generate(var, vartab, mptmp, apr_psprintf(mptmp, "%i", msr->tx_severity));
-}
-
/* GEO */
static int var_geo_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
@@ -786,6 +778,15 @@ static int var_geo_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
return count;
}
+/* HIGHEST_SEVERITY */
+
+static int var_highest_severity_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+ apr_table_t *vartab, apr_pool_t *mptmp)
+{
+ return var_simple_generate(var, vartab, mptmp,
+ apr_psprintf(mptmp, "%d", msr->highest_severity));
+}
+
/* IP */
static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
@@ -2203,6 +2204,17 @@ void msre_engine_register_default_variables(msre_engine *engine) {
PHASE_REQUEST_HEADERS
);
+ /* HIGHEST_SEVERITY */
+ msre_engine_variable_register(engine,
+ "HIGHEST_SEVERITY",
+ VAR_SIMPLE,
+ 0, 0,
+ NULL,
+ var_highest_severity_generate,
+ VAR_DONT_CACHE,
+ PHASE_REQUEST_HEADERS
+ );
+
/* IP */
msre_engine_variable_register(engine,
"IP",
@@ -2896,17 +2908,6 @@ void msre_engine_register_default_variables(msre_engine *engine) {
PHASE_REQUEST_HEADERS
);
- /* TX_SEVERITY */
- msre_engine_variable_register(engine,
- "TX_SEVERITY",
- VAR_SIMPLE,
- 0, 0,
- NULL,
- var_tx_severity_generate,
- VAR_DONT_CACHE,
- PHASE_REQUEST_HEADERS
- );
-
/* WEBAPPID */
msre_engine_variable_register(engine,
"WEBAPPID",
diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml
index d40fe9f0..9f61be2c 100644
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -3,7 +3,7 @@
ModSecurity Reference Manual
- Version 2.5.0-trunk / (Aug 8, 2007)
+ Version 2.5.0-trunk / (Aug 9, 2007)
2004-2007
@@ -2224,6 +2224,23 @@ SecRule ENV:tag "suspicious"
SecRule GEO:COUNTRY_CODE "!@streq UK"
+
+ <literal moreinfo="none">HIGHEST_SEVERITY</literal>
+
+ This variable holds the highest severity of any rules that have
+ matched so far. Severities are numeric values and thus can be used with
+ comparison operators such as @lt,
+ etc.
+
+
+ Higher severities have a lower numeric value.
+
+ A value of 255 indicates no severity has been set.
+
+
+ SecRule HIGHEST_SEVERITY "@le 2" "phase:2,deny,status:500,msg:'severity %{HIGHEST_SEVERITY}'"
+
+
<literal moreinfo="none">MODSEC_BUILD</literal>