github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge in some doc changes.

Browse Source 
Fix some doc formatting issues.
Update the CHANGES file.
This commit is contained in:
brectanus 2007-08-02 20:40:37 +00:00
parent 72832c1b32
commit b761c1c01c
2 changed files with 197 additions and 229 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -1,6 +1,10 @@
?? ??? 2007 - 2.5.0-trunk
-------------------------
* Cleaned up some documentation.
* Performance improvements in caching transformations.
* Stricter validation for @validateUtf8Encoding.
* Capture the match in TX:0 when using "capture" action in phrase match

206
doc/modsecurity2-apache-reference.xml
View File

@ -16,14 +16,14 @@
<section id="01-introduction">
<title>Introduction</title>
<para><trademark class="trade">ModSecurity</trademark>is a web application
firewall (WAF). With over 70% of all attacks now carried out over the web
application level, organisations need every help they can get in making
their systems secure. WAFs are deployed to establish an external security
layer that increases security, detects, and prevents attacks before they
reach web applications. It provides protection from a range of attacks
against web applications and allows for HTTP traffic monitoring and
real-time analysis with little or no changes to existing
<para><trademark class="trade">ModSecurity</trademark> is a web
application firewall (WAF). With over 70% of all attacks now carried out
over the web application level, organisations need every help they can get
in making their systems secure. WAFs are deployed to establish an external
security layer that increases security, detects, and prevents attacks
before they reach web applications. It provides protection from a range of
attacks against web applications and allows for HTTP traffic monitoring
and real-time analysis with little or no changes to existing
infrastructure.</para>
<section>
@ -198,7 +198,7 @@
commented to allow it to be used as a step-by-step deployment guide for
ModSecurity. The latest Core Rules can be found at the ModSecurity
website - <ulink
url="???">http://www.modsecurity.org/projects/rules/</ulink>.</para>
url="http://www.modsecurity.org/projects/rules/">http://www.modsecurity.org/projects/rules/</ulink>.</para>
</section>
<section>
@ -433,11 +433,9 @@
moreinfo="none">SecAction
nolog,redirect:http://www.hostname.com</literal></para>
<para><emphasis role="bold"> <emphasis
role="bold">ProcessingPhase:</emphasis> </emphasis>Any</para>
<para><emphasis role="bold">ProcessingPhase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
@ -492,8 +490,7 @@
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Can be
set/changed with the "ctl" action for the current transaction.</para>
@ -501,8 +498,8 @@
<para>Example: The following example shows the various audit directives
used together.</para>
<programlisting format="linespecific"><emphasis role="bold">SecAuditEngine RelevantOnly
</emphasis>SecAuditLog logs/audit/audit.log
<programlisting format="linespecific"><emphasis role="bold">SecAuditEngine RelevantOnly</emphasis>
SecAuditLog logs/audit/audit.log
SecAuditLogParts ABCFHZ
SecAuditLogType concurrent
SecAuditLogStorageDir logs/audit
@ -545,8 +542,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This file is
open on startup when the server typically still runs as<emphasis>
@ -582,8 +578,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> A main audit
log must be defined via <literal moreinfo="none">SecAuditLog</literal>
@ -671,13 +666,12 @@ SecAuditLogStorageDir logs/audit
<listitem>
<para><literal moreinfo="none">I</literal> - This part is a
replacement for part C. It will log the same data as C in all cases
except when<literal
moreinfo="none">multipart/form-data</literal>encoding in used. In
this case it will log a fake<literal moreinfo="none">
application/x-www-form-urlencoded</literal> body that contains the
information about parameters but not about the files. This is handy
if you don't want to have (often large) files stored in your audit
logs.</para>
except when<literal moreinfo="none">multipart/form-data</literal>
encoding in used. In this case it will log a fake <literal
moreinfo="none"> application/x-www-form-urlencoded</literal> body
that contains the information about parameters but not about the
files. This is handy if you don't want to have (often large) files
stored in your audit logs.</para>
</listitem>
<listitem>
@ -708,8 +702,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Must have the
SecAuditEngine set to RelevantOnly. The parameter is a regular
@ -740,8 +733,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis>
SecAuditLogType must be set to Concurrent. The directory must already be
@ -767,8 +759,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Must specify
SecAuditLogStorageDir if you use concurrent logging.</para>
@ -806,8 +797,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Main</para>
<para><emphasis role="bold">Scope:</emphasis> Main</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> The internal
chroot functionality provided by ModSecurity works great for simple
@ -853,8 +843,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
@ -912,8 +901,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
</section>
@ -932,17 +920,15 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Levels
<literal moreinfo="none">1</literal>-<literal moreinfo="none">3
</literal>are always sent to the Apache error log. Therefore you can
always use level<literal moreinfo="none"> 0 </literal>as the default
logging level in production. Level<literal moreinfo="none"> 5
</literal>is useful when debugging. It is not advisable to use higher
logging levels in production as excessive logging can slow down server
significantly.</para>
<literal moreinfo="none">1 - 3</literal> are always sent to the Apache
error log. Therefore you can always use level <literal
moreinfo="none">0</literal> as the default logging level in production.
Level <literal moreinfo="none">5</literal> is useful when debugging. It
is not advisable to use higher logging levels in production as excessive
logging can slow down server significantly.</para>
<para>Possible values are:</para>
@ -997,8 +983,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Rules
following a SecDefaultAction directive will inherit this setting unless
@ -1030,8 +1015,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Check out
www.maxmind.com for free database files.</para>
@ -1053,8 +1037,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Main</para>
<para><emphasis role="bold">Scope:</emphasis> Main</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> By default
httpd-guardian will defend against clients that send more 120 requests
@ -1168,8 +1151,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive is required if you plan to inspect POST_PAYLOADS of requests.
@ -1207,8 +1189,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> 131072 KB
(134217728 bytes) is the default setting. Anything over this limit will
@ -1231,8 +1212,7 @@ SecAuditLogStorageDir logs/audit
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
@ -1256,8 +1236,7 @@ SecRequestBodyInMemoryLimit 131072</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Anything over
this limit will be rejected with status code 500 Internal Server Error.
@ -1286,8 +1265,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis>
Multiple<literal moreinfo="none"> SecResponseBodyMimeType</literal>
@ -1316,8 +1294,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
</section>
@ -1336,8 +1313,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive is required if you plan to inspect html responses. This
@ -1375,8 +1351,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> None</para>
@ -1424,8 +1399,8 @@ SecResponseBodyLimit 524288</programlisting>
<para>In the simplest possible case you will use a regular expression
pattern as the second rule parameter. This is what we've done in the
examples above. If you do this ModSecurity assumes you want to use
the<literal moreinfo="none"> rx </literal>operator. You can explicitly
examples above. If you do this ModSecurity assumes you want to use the
<literal moreinfo="none">rx</literal> operator. You can explicitly
specify the operator you want to use by using <literal
moreinfo="none">@</literal> as the first character in the second rule
parameter:</para>
@ -1475,8 +1450,7 @@ SecResponseBodyLimit 524288</programlisting>
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis>
Resource-specific contexts (e.g.<literal moreinfo="none">
@ -1508,8 +1482,7 @@ SecDefaultAction log,deny,phase:1,redirect:http://www.site2.com
&lt;VirtualHost *:80&gt;
ServerName app2.com
ServerAlias www.app2.com
<emphasis role="bold">SecRuleInheritance On
</emphasis>SecRule ARGS "attack"
<emphasis role="bold">SecRuleInheritance On</emphasis> SecRule ARGS "attack"
...
&lt;/VirtualHost&gt;</programlisting>
@ -1542,8 +1515,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Thisdirective
can also be controled by the ctl action (ctl:ruleEngine=off) for per
@ -1583,8 +1555,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive supports multiple parameters, where each parameter can either
@ -1608,8 +1579,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> Any</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive supports multiple parameters. Each parameter is a regular
@ -1634,8 +1604,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Main</para>
<para><emphasis role="bold">Scope:</emphasis> Main</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> In order for
this directive to work, you must set the Apache ServerTokens directive
@ -1659,8 +1628,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Needs to be
writable by the Apache user process. This is the directory location
@ -1683,8 +1651,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directory must be on the same filesystem as the temporary directory
@ -1707,8 +1674,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> This
directive requires the storage directory to be defined (using <literal
@ -1749,8 +1715,7 @@ ServerAlias www.app2.com
<para><emphasis role="bold">Processing Phase:</emphasis> N/A</para>
<para><emphasis role="bold"> <emphasis role="bold">Scope:</emphasis>
</emphasis>Any</para>
<para><emphasis role="bold">Scope:</emphasis> Any</para>
<para><emphasis role="bold">Dependencies/Notes:</emphasis> Partitions
are used to avoid collisions between session IDs and user IDs. This
@ -1961,23 +1926,23 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,<emphasis role="bold">phase:1</emphasis
invocations against the operator if argument p does not exist. Some
variables are actually collections, which are expanded into more
variables at runtime. The following example will examine all request
arguments:<programlisting format="linespecific">SecRule ARGS dirty</programlisting>Sometimes,
however, you will want to look only at parts of a collection. This can
be achieved with the help of the <emphasis>selection
arguments:<programlisting format="linespecific">SecRule ARGS dirty</programlisting>
Sometimes, however, you will want to look only at parts of a collection.
This can be achieved with the help of the <emphasis>selection
operator</emphasis>(colon). The following example will only look at the
arguments named<literal moreinfo="none"> p</literal> (do note that, in
general, requests can contain multiple arguments with the same name):
<programlisting format="linespecific">SecRule ARGS:p dirty</programlisting>It
is also possible to specify exclusions. The following will examine all
request arguments for the word<emphasis> dirty</emphasis>, except the
ones named<literal moreinfo="none"> z </literal>(again, there can be
<programlisting format="linespecific">SecRule ARGS:p dirty</programlisting>
It is also possible to specify exclusions. The following will examine
all request arguments for the word<emphasis> dirty</emphasis>, except
the ones named <literal moreinfo="none">z</literal> (again, there can be
zero or more arguments named<literal moreinfo="none"> z</literal>):
<programlisting format="linespecific">SecRule ARGS|!ARGS:z dirty</programlisting>There
is a special operator that allows you to count how many variables there
are in a collection. The following rule will trigger if there is more
than zero arguments in the request (ignore the second parameter for the
time being): <programlisting format="linespecific">SecRule &amp;ARGS !^0$</programlisting>And
sometimes you need to look at an array of parameters, each with a
<programlisting format="linespecific">SecRule ARGS|!ARGS:z dirty</programlisting>
There is a special operator that allows you to count how many variables
there are in a collection. The following rule will trigger if there is
more than zero arguments in the request (ignore the second parameter for
the time being): <programlisting format="linespecific">SecRule &amp;ARGS !^0$</programlisting>
And sometimes you need to look at an array of parameters, each with a
slightly different name. In this case you can specify a regular
expression in the selection operator itself. The following rule will
look into all arguments whose names begin with <literal
@ -3026,7 +2991,7 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
</listitem>
<listitem>
<para><literal moreinfo="none">&amp;nbs</literal>p and <literal
<para><literal moreinfo="none">&amp;nbsp</literal> and <literal
moreinfo="none">&amp;nbsp;</literal></para>
</listitem>
@ -3132,11 +3097,11 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
<title><literal>urlDecodeUni</literal></title>
<para>In addition to decoding %xx like <literal
moreinfo="none">urlDecode, urlDecodeUni also </literal>decodes<literal
moreinfo="none"> <literal>%uXXXX</literal> </literal>encoding. If the
code is in the range of FF01-FF5E (the full width ASCII codes), then the
higher byte is used to detect and adjust the lower byte. Otherwise, only
the lower byte will be used and the higher byte zeroed.</para>
moreinfo="none">urlDecode, urlDecodeUni</literal> also decodes <literal
moreinfo="none">%uXXXX</literal> encoding. If the code is in the range
of FF01-FF5E (the full width ASCII codes), then the higher byte is used
to detect and adjust the lower byte. Otherwise, only the lower byte will
be used and the higher byte zeroed.</para>
</section>
<section>
@ -3180,18 +3145,18 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
<orderedlist continuation="restarts" inheritnum="ignore">
<listitem>
<para><emphasis>Disruptive actions</emphasis>- are those actions where
ModSecurity will intercept the data. They can only appear in the first
rule in a chain.</para>
<para><emphasis>Disruptive actions</emphasis> - are those actions
where ModSecurity will intercept the data. They can only appear in the
first rule in a chain.</para>
</listitem>
<listitem>
<para><emphasis>Non-disruptive actions</emphasis>; can appear
<para><emphasis>Non-disruptive actions</emphasis> - can appear
anywhere.</para>
</listitem>
<listitem>
<para><emphasis>Flow actions</emphasis>; can appear only in the first
<para><emphasis>Flow actions</emphasis> - can appear only in the first
rule in a chain.</para>
</listitem>
@ -3199,7 +3164,7 @@ SecRule <emphasis role="bold">XML:/xq:employees/employee/name/text()</emphasis>
<para><emphasis>Meta-data actions</emphasis>(<literal
moreinfo="none">id</literal>,<literal moreinfo="none">
rev</literal>,<literal moreinfo="none"> severity</literal>,<literal
moreinfo="none"> msg</literal>); can only appear in the first rule in
moreinfo="none"> msg</literal>) - can only appear in the first rule in
a chain.</para>
</listitem>
@ -4169,9 +4134,8 @@ SecAction <emphasis role="bold">setsid:%{REQUEST_COOKIES.PHPSESSID}</emphasis></
<programlisting format="linespecific">setvar:!tx.score</programlisting>
<para>To increase or decrease variable value use <literal
moreinfo="none">+</literal>and<literal
moreinfo="none">-</literal>characters in front of a numerical
value:</para>
moreinfo="none">+</literal> and <literal moreinfo="none">-</literal>
characters in front of a numerical value:</para>
<programlisting format="linespecific">setvar:tx.score=+5</programlisting>
</section>