diff --git a/CHANGES b/CHANGES
index 4efae210..862ada9c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,7 +5,7 @@
* Added a @containsWord operator that will match a given string anywhere in
the target value, but only on word boundaries.
- * Used new TX:LAST_MATCHED_VAR_NAME to store the last matched variable name
+ * New MATCHED_VAR variable to store the last matched variable name
so that it can be more easily used by rules.
* Fixed expansion of macros when using relative changes with setvar. In
diff --git a/apache2/re.c b/apache2/re.c
index 150ae9b0..e043a002 100644
--- a/apache2/re.c
+++ b/apache2/re.c
@@ -1335,8 +1335,6 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
else {
/* Match. */
- msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
-
if (rc == 0) {
/* Operator did not match so we need to provide a message. */
my_error_msg = apr_psprintf(msr->mp, "Match of \"%s %s\" against \"%s\" required.",
@@ -1346,21 +1344,6 @@ static int execute_operator(msre_var *var, msre_rule *rule, modsec_rec *msr,
msr->matched_var = apr_pstrdup(msr->mp, var->name);
- if (s == NULL) {
- msr_log(msr, 3, "Internal error: Failed to allocate space for TX.last_matched_var_name.");
- }
- else {
- s->name = "last_matched_var_name";
- s->value = apr_pstrdup(msr->mp, var->name);
- s->value_len = strlen(var->name);
- if ((s->name == NULL)||(s->value == NULL)) return -1;
- apr_table_setn(msr->tx_vars, s->name, (void *)s);
- if (msr->txcfg->debuglog_level >= 9) {
- msr_log(msr, 9, "Added matched variable name to TX.%s: %s", s->name, var->name);
- }
- }
-
-
/* Keep track of the highest severity matched so far */
if ((acting_actionset->severity > 0) && (acting_actionset->severity < msr->highest_severity))
{
diff --git a/apache2/re_variables.c b/apache2/re_variables.c
index 319ce69b..2b41c57b 100644
--- a/apache2/re_variables.c
+++ b/apache2/re_variables.c
@@ -838,6 +838,15 @@ static int var_ip_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
return count;
}
+/* MATCHED_VAR */
+
+static int var_matched_var_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
+ apr_table_t *vartab, apr_pool_t *mptmp)
+{
+ return var_simple_generate(var, vartab, mptmp,
+ apr_pstrdup(mptmp, msr->matched_var));
+}
+
/* SESSION */
static int var_session_generate(modsec_rec *msr, msre_var *var, msre_rule *rule,
@@ -2292,6 +2301,17 @@ void msre_engine_register_default_variables(msre_engine *engine) {
PHASE_REQUEST_HEADERS
);
+ /* MATCHED_VAR */
+ msre_engine_variable_register(engine,
+ "MATCHED_VAR",
+ VAR_SIMPLE,
+ 0, 0,
+ NULL,
+ var_matched_var_generate,
+ VAR_DONT_CACHE,
+ PHASE_REQUEST_HEADERS
+ );
+
/* MODSEC_BUILD */
msre_engine_variable_register(engine,
"MODSEC_BUILD",
diff --git a/doc/modsecurity2-apache-reference.xml b/doc/modsecurity2-apache-reference.xml
index 5f75673f..4302ee2a 100644
--- a/doc/modsecurity2-apache-reference.xml
+++ b/doc/modsecurity2-apache-reference.xml
@@ -2025,7 +2025,9 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1The following variables are supported in ModSecurity 2.x:
- <literal moreinfo="none">ARGS</literal>
+
+ <literal moreinfo="none">ARGS</literal>
+
ARGS is a collection and can be used on its own
(means all arguments including the POST Payload), with a static
@@ -2070,7 +2072,9 @@ SecRule REQUEST_HEADERS:Host "!^$" "deny,phase:1
- <literal moreinfo="none">ARGS_COMBINED_SIZE</literal>
+
+ <literal moreinfo="none">ARGS_COMBINED_SIZE</literal>
+
This variable allows you to set more targeted evaluations on the
total size of the Arguments as compared with normal Apache LimitRequest
@@ -2084,7 +2088,9 @@ SecRule ARGS_COMBINED_SIZE "@gt 25"
- <literal moreinfo="none">ARGS_NAMES</literal>
+
+ <literal moreinfo="none">ARGS_NAMES</literal>
+
Is a collection of the argument names. You can search for specific
argument names that you want to block. In a positive policy scenario,
@@ -2098,14 +2104,18 @@ SecRule ARGS_NAMES "!^(p|a)$"
- <literal moreinfo="none">ARGS_GET</literal>
+
+ <literal moreinfo="none">ARGS_GET</literal>
+
ARGS_GET is similar to ARGS,
but only contains arguments from the query string.
- <literal moreinfo="none">ARGS_GET_NAMES</literal>
+
+ <literal moreinfo="none">ARGS_GET_NAMES</literal>
+
ARGS_GET_NAMES is similar to
ARGS_NAMES, but only contains argument names from the
@@ -2113,7 +2123,9 @@ SecRule ARGS_NAMES "!^(p|a)$"
- <literal moreinfo="none">ARGS_POST</literal>
+
+ <literal moreinfo="none">ARGS_POST</literal>
+
ARGS_POST is similar to
ARGS, but only contains arguments from the POST
@@ -2121,7 +2133,9 @@ SecRule ARGS_NAMES "!^(p|a)$"
- <literal moreinfo="none">ARGS_POST_NAMES</literal>
+
+ <literal moreinfo="none">ARGS_POST_NAMES</literal>
+
ARGS_POST_NAMES is similar to
ARGS_NAMES, but only contains argument names from the
@@ -2129,14 +2143,18 @@ SecRule ARGS_NAMES "!^(p|a)$"
- <literal moreinfo="none">AUTH_TYPE</literal>
+
+ <literal moreinfo="none">AUTH_TYPE</literal>
+
This variable holds the authentication method used to validate a
user. Example:
SecRule AUTH_TYPE "basic" log,deny,status:403,phase:1,t:lowercase
- Note
+
+ Note
+
This data will not be available in a proxy-mode deployment as the
authentication is not local. In a proxy-mode deployment, you would need
@@ -2145,7 +2163,9 @@ SecRule ARGS_NAMES "!^(p|a)$"
- <literal moreinfo="none">ENV</literal>
+
+ <literal moreinfo="none">ENV</literal>
+
Collection, requires a single parameter (after a colon character).
The ENV variable is set with setenv and does not give access to the CGI
@@ -2157,7 +2177,9 @@ SecRule ENV:tag "suspicious"
- <literal moreinfo="none">FILES</literal>
+
+ <literal moreinfo="none">FILES</literal>
+
Collection. Contains a collection of original file names (as they
were called on the remote user's file system). Note: only available if
@@ -2167,7 +2189,9 @@ SecRule ENV:tag "suspicious"
- <literal moreinfo="none">FILES_COMBINED_SIZE</literal>
+
+ <literal moreinfo="none">FILES_COMBINED_SIZE</literal>
+
Single value. Total size of the uploaded files. Note: only
available if files were extracted from the request body. Example:
@@ -2176,7 +2200,9 @@ SecRule ENV:tag "suspicious"
- <literal moreinfo="none">FILES_NAMES</literal>
+
+ <literal moreinfo="none">FILES_NAMES</literal>
+
Collection w/o parameter. Contains a list of form fields that were
used for file upload. Note: only available if files were extracted from
@@ -2186,7 +2212,9 @@ SecRule ENV:tag "suspicious"
- <literal moreinfo="none">FILES_SIZES</literal>
+
+ <literal moreinfo="none">FILES_SIZES</literal>
+
Collection. Contains a list of file sizes. Useful for implementing
a size limitation on individual uploaded files. Note: only available if
@@ -2196,7 +2224,9 @@ SecRule ENV:tag "suspicious"
- <literal moreinfo="none">FILES_TMPNAMES</literal>
+
+ <literal moreinfo="none">FILES_TMPNAMES</literal>
+
Collection. Contains a collection of temporary files' names on the
disk. Useful when used together with ENV:tag "suspicious"
- <literal moreinfo="none">GEO</literal>
+
+ <literal moreinfo="none">GEO</literal>
+
GEO is a collection populated by the @geoLookups operator. It can be used to match
@@ -2281,7 +2313,9 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"
- <literal moreinfo="none">HIGHEST_SEVERITY</literal>
+
+ <literal moreinfo="none">HIGHEST_SEVERITY</literal>
+
This variable holds the highest severity of any rules that have
matched so far. Severities are numeric values and thus can be used with
@@ -2298,7 +2332,22 @@ SecRule GEO:COUNTRY_CODE "!@streq UK"
- <literal moreinfo="none">MODSEC_BUILD</literal>
+
+ <literal moreinfo="none">MATCHED_VAR</literal>
+
+
+ This variable holds the full name of the variable that was matched
+ against.
+
+ SecRule ARGS pattern setvar:tx.mymatch=%{MATCHED_VAR}
+...
+SecRule TX:MYMATCH "@eq ARGS:param" deny
+
+
+
+
+ <literal moreinfo="none">MODSEC_BUILD</literal>
+
This variable holds the ModSecurity build number. This variable is
intended to be used to check the build number prior to using a feature
@@ -2309,7 +2358,9 @@ SecRule ARGS "@pm some key words" deny,status:500
- <literal>MULTIPART_STRICT_ERROR</literal>
+
+ <literal>MULTIPART_STRICT_ERROR</literal>
+
MULTIPART_STRICT_ERROR will be set to
1 when any of the following variables is also set to
@@ -2356,7 +2407,9 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- <literal>MULTIPART_UNMATCHED_BOUNDARY</literal>
+
+ <literal>MULTIPART_UNMATCHED_BOUNDARY</literal>
+
Set to 1 when, during the parsing phase of a
multipart/request-body, ModSecurity encounters what
@@ -2374,7 +2427,9 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- <literal moreinfo="none">PATH_INFO</literal>
+
+ <literal moreinfo="none">PATH_INFO</literal>
+
Besides passing query information to a script/handler, you can
also pass additional data, known as extra path information, as part of
@@ -2384,7 +2439,9 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- <literal moreinfo="none">QUERY_STRING</literal>
+
+ <literal moreinfo="none">QUERY_STRING</literal>
+
This variable holds form data passed to the script/handler by
appending data after a question mark. Warning: Not URL-decoded.
@@ -2394,7 +2451,9 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- <literal moreinfo="none">REMOTE_ADDR</literal>
+
+ <literal moreinfo="none">REMOTE_ADDR</literal>
+
This variable holds the IP address of the remote client.
Example:
@@ -2403,7 +2462,9 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- <literal moreinfo="none">REMOTE_HOST</literal>
+
+ <literal moreinfo="none">REMOTE_HOST</literal>
+
If HostnameLookUps are set to On, then this variable will hold the
DNS resolved remote host name. If it is set to Off, then it will hold
@@ -2415,7 +2476,9 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- <literal moreinfo="none">REMOTE_PORT</literal>
+
+ <literal moreinfo="none">REMOTE_PORT</literal>
+
This variable holds information on the source port that the client
used when initiating the connection to our web server. Example: in this
@@ -2427,7 +2490,9 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
- <literal moreinfo="none">REMOTE_USER</literal>
+
+ <literal moreinfo="none">REMOTE_USER</literal>
+
This variable holds the username of the authenticated user. If
there are no password (basic|digest) access controls in place, then this
@@ -2435,14 +2500,18 @@ SM %{MULTIPART_SEMICOLON_MISSING}'"
SecRule REMOTE_USER "admin"
- Note
+
+ Note
+
This data will not be available in a proxy-mode deployment as the
authentication is not local.
- <literal moreinfo="none">REQBODY_PROCESSOR</literal>
+
+ <literal moreinfo="none">REQBODY_PROCESSOR</literal>
+
Built-in processors are URLENCODED,
@@ -2454,8 +2523,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal
- moreinfo="none">REQBODY_PROCESSOR_ERROR</literal>
+
+ <literal moreinfo="none">REQBODY_PROCESSOR_ERROR</literal>
+
Possible values are 0 (no error) or 1 (error). This variable will
be set by request body processors (typically the
@@ -2480,8 +2550,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal
- moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal>
+
+ <literal moreinfo="none">REQBODY_PROCESSOR_ERROR_MSG</literal>
+
Empty, or contains the error message from the processor.
Example:
@@ -2490,7 +2561,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_BASENAME</literal>
+
+ <literal moreinfo="none">REQUEST_BASENAME</literal>
+
This variable holds just the filename part of
REQUEST_FILENAME (e.g. index.php). Warning: not
@@ -2500,7 +2573,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_BODY</literal>
+
+ <literal moreinfo="none">REQUEST_BODY</literal>
+
This variable holds the data in the request body (including
POST_PAYLOAD data). REQUEST_BODY should be used if the original order of
@@ -2509,14 +2584,18 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule REQUEST_BODY "^username=\w{25,}\&password=\w{25,}\&Submit\=login$"
- Note
+
+ Note
+
This variable is only available if the content type is
application/x-www-form-urlencoded.
- <literal moreinfo="none">REQUEST_COOKIES</literal>
+
+ <literal moreinfo="none">REQUEST_COOKIES</literal>
+
This variable is a collection of all of the cookie data. Example:
the following example is using the Ampersand special operator to count
@@ -2527,7 +2606,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_COOKIES_NAMES</literal>
+
+ <literal moreinfo="none">REQUEST_COOKIES_NAMES</literal>
+
This variable is a collection of the cookie names in the request
headers. Example: the following rule will trigger if the JSESSIONID
@@ -2537,7 +2618,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_FILENAME</literal>
+
+ <literal moreinfo="none">REQUEST_FILENAME</literal>
+
This variable holds the relative REQUEST_URI minus the
QUERY_STRING part (e.g. /index.php). Example:
@@ -2546,7 +2629,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_HEADERS</literal>
+
+ <literal moreinfo="none">REQUEST_HEADERS</literal>
+
This variable can be used as either a collection of all of the
Request Headers or can be used to specify indivudual headers (by using
@@ -2564,7 +2649,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_HEADERS_NAMES</literal>
+
+ <literal moreinfo="none">REQUEST_HEADERS_NAMES</literal>
+
This variable is a collection of the names of all of the Request
Headers. Example:
@@ -2574,7 +2661,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_LINE</literal>
+
+ <literal moreinfo="none">REQUEST_LINE</literal>
+
This variable holds the complete request line sent to the server
(including the REQUEST_METHOD and HTTP version data). Example: this
@@ -2584,7 +2673,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule REQUEST_LINE "!(^((?:(?:pos|ge)t|head))|http/(0\.9|1\.0|1\.1)$)"
- Note
+
+ Note
+
Due to the default action transformation function lowercase, the
regex strings should be in lowercase as well unless the t:none
@@ -2592,7 +2683,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_METHOD</literal>
+
+ <literal moreinfo="none">REQUEST_METHOD</literal>
+
This variable holds the Request Method used by the client.
Example: the following example will trigger if the Request Method is
@@ -2600,7 +2693,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule REQUEST_METHOD "^((?:connect|trace))$"
- Note
+
+ Note
+
Due to the default action transformation function lowercase, the
regex strings should be in lowercase as well unless the t:none
@@ -2608,14 +2703,18 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_PROTOCOL</literal>
+
+ <literal moreinfo="none">REQUEST_PROTOCOL</literal>
+
This variable holds the Request Protocol Version information.
Example:
SecRule REQUEST_PROTOCOL "!^http/(0\.9|1\.0|1\.1)$"
- Note
+
+ Note
+
Due to the default action transformation function lowercase, the
regex strings should be in lowercase as well unless the t:none
@@ -2623,7 +2722,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_URI</literal>
+
+ <literal moreinfo="none">REQUEST_URI</literal>
+
This variable holds the full URL including the QUERY_STRING data
(e.g. /index.php?p=X), however it will never contain a domain name, even
@@ -2635,7 +2736,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">REQUEST_URI_RAW</literal>
+
+ <literal moreinfo="none">REQUEST_URI_RAW</literal>
+
Same as REQUEST_URI but will contain the domain name if it was
provided on the request line (e.g.
@@ -2646,7 +2749,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">RESPONSE_BODY</literal>
+
+ <literal moreinfo="none">RESPONSE_BODY</literal>
+
This variable holds the data for the response payload.
Example:
@@ -2655,7 +2760,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal>RESPONSE_CONTENT_LENGTH</literal>
+
+ <literal>RESPONSE_CONTENT_LENGTH</literal>
+
Response body length in bytes. Can be available starting with
phase 3 but it does not have to be (as the length of response body is
@@ -2671,14 +2778,18 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal>RESPONSE_CONTENT_TYPE</literal>
+
+ <literal>RESPONSE_CONTENT_TYPE</literal>
+
Response content type. Only available starting with phase
3.
- <literal moreinfo="none">RESPONSE_HEADERS</literal>
+
+ <literal moreinfo="none">RESPONSE_HEADERS</literal>
+
This variable is similar to the REQUEST_HEADERS variable and can
be used in the same manner. Example:
@@ -2686,7 +2797,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule RESPONSE_HEADERS:X-Cache "MISS"
- Note
+
+ Note
+
This variable may not have access to some headers when running in
embedded-mode. Headers such as Server, Date, Connection and Content-Type
@@ -2696,21 +2809,27 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal>
+
+ <literal moreinfo="none">RESPONSE_HEADERS_NAMES</literal>
+
This variable is a collection of the response header names.
Example:
SecRule RESPONSE_HEADERS_NAMES "Set-Cookie"
- Note
+
+ Note
+
Same limitations as RESPONSE_HEADERS with regards to access to
some headers in embedded-mode.
- <literal moreinfo="none">RESPONSE_PROTOCOL</literal>
+
+ <literal moreinfo="none">RESPONSE_PROTOCOL</literal>
+
This variable holds the HTTP Response Protocol information.
Example:
@@ -2719,14 +2838,18 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">RESPONSE_STATUS</literal>
+
+ <literal moreinfo="none">RESPONSE_STATUS</literal>
+
This variable holds the HTTP Response Status Code generated by
Apache. Example:
SecRule RESPONSE_STATUS "^[45]"
- Note
+
+ Note
+
This directive may not work as expected in embedded-mode as Apache
handles many of the stock response codes (404, 401, etc...) earlier in
@@ -2735,7 +2858,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">RULE</literal>
+
+ <literal moreinfo="none">RULE</literal>
+
This variable provides access to the id, rev,
@@ -2750,59 +2875,77 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">SCRIPT_BASENAME</literal>
+
+ <literal moreinfo="none">SCRIPT_BASENAME</literal>
+
This variable holds just the local filename part of
SCRIPT_FILENAME. Example:
SecRule SCRIPT_BASENAME "^login\.php$"
- Note
+
+ Note
+
This variable is not available in proxy mode.
- <literal moreinfo="none">SCRIPT_FILENAME</literal>
+
+ <literal moreinfo="none">SCRIPT_FILENAME</literal>
+
This variable holds the full path on the server to the requested
script. (e.g. SCRIPT_NAME plus the server path). Example:
SecRule SCRIPT_FILENAME "^/usr/local/apache/cgi-bin/login\.php$"
- Note
+
+ Note
+
This variable is not available in proxy mode.
- <literal moreinfo="none">SCRIPT_GID</literal>
+
+ <literal moreinfo="none">SCRIPT_GID</literal>
+
This variable holds the groupid (numerical value) of the group
owner of the script. Example:
SecRule SCRIPT_GID "!^46$"
- Note
+
+ Note
+
This variable is not available in proxy mode.
- <literal moreinfo="none">SCRIPT_GROUPNAME</literal>
+
+ <literal moreinfo="none">SCRIPT_GROUPNAME</literal>
+
This variable holds the group name of the group owner of the
script. Example:
SecRule SCRIPT_GROUPNAME "!^apache$"
- Note
+
+ Note
+
This variable is not available in proxy mode.
- <literal moreinfo="none">SCRIPT_MODE</literal>
+
+ <literal moreinfo="none">SCRIPT_MODE</literal>
+
This variable holds the script's permissions mode data (numerical
- 1=execute, 2=write, 4=read and 7=read/write/execute). Example: will
@@ -2810,13 +2953,17 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule SCRIPT_MODE "^(2|3|6|7)$"
- Note
+
+ Note
+
This variable is not available in proxy mode.
- <literal moreinfo="none">SCRIPT_UID</literal>
+
+ <literal moreinfo="none">SCRIPT_UID</literal>
+
This variable holds the userid (numerical value) of the owner of
the script. Example: the example rule below will trigger if the UID is
@@ -2824,26 +2971,34 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
SecRule SCRIPT_UID "!^46$"
- Note
+
+ Note
+
This variable is not available in proxy mode.
- <literal moreinfo="none">SCRIPT_USERNAME</literal>
+
+ <literal moreinfo="none">SCRIPT_USERNAME</literal>
+
This variable holds the username of the owner of the script.
Example:
SecRule SCRIPT_USERNAME "!^apache$"
- Note
+
+ Note
+
This variable is not available in proxy mode.
- <literal moreinfo="none">SERVER_ADDR</literal>
+
+ <literal moreinfo="none">SERVER_ADDR</literal>
+
This variable contains the IP address of the server.
Example:
@@ -2852,21 +3007,27 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">SERVER_NAME</literal>
+
+ <literal moreinfo="none">SERVER_NAME</literal>
+
This variable contains the server's hostname or IP address.
Example:
SecRule SERVER_NAME "hostname\.com$"
- Note
+
+ Note
+
This data is taken from the Host header submitted in the client
request.
- <literal moreinfo="none">SERVER_PORT</literal>
+
+ <literal moreinfo="none">SERVER_PORT</literal>
+
This variable contains the local port that the web server is
listening on. Example:
@@ -2875,7 +3036,9 @@ SecRule XML "@validateDTD /opt/apache-frontend/conf/xml.dtd"
- <literal moreinfo="none">SESSION</literal>
+
+ <literal moreinfo="none">SESSION</literal>
+
This variable is a collection, available only after setsid is executed. Example: the following
@@ -2893,7 +3056,9 @@ SecRule SESSION:BLOCKED "@eq 1" "log,deny,statu
- <literal moreinfo="none">SESSIONID</literal>
+
+ <literal moreinfo="none">SESSIONID</literal>
+
This variable is the value set with setsid. Example:
@@ -2904,7 +3069,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TIME</literal>
+
+ <literal moreinfo="none">TIME</literal>
+
This variable holds a formatted string representing the time
(hour:minute:second). Example:
@@ -2913,7 +3080,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TIME_DAY</literal>
+
+ <literal moreinfo="none">TIME_DAY</literal>
+
This variable holds the current date (1-31). Example: this rule
would trigger anytime between the 10th and 20th days of the
@@ -2923,7 +3092,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TIME_EPOCH</literal>
+
+ <literal moreinfo="none">TIME_EPOCH</literal>
+
This variable holds the time in seconds since 1970.
Example:
@@ -2932,7 +3103,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TIME_HOUR</literal>
+
+ <literal moreinfo="none">TIME_HOUR</literal>
+
This variable holds the current hour (0-23). Example: this rule
would trigger during "off hours".
@@ -2941,7 +3114,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TIME_MIN</literal>
+
+ <literal moreinfo="none">TIME_MIN</literal>
+
This variable holds the current minute (0-59). Example: this rule
would trigger during the last half hour of every hour.
@@ -2950,7 +3125,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TIME_MON</literal>
+
+ <literal moreinfo="none">TIME_MON</literal>
+
This variable holds the current month (0-11). Example: this rule
would match if the month was either November (10) or December
@@ -2960,7 +3137,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TIME_SEC</literal>
+
+ <literal moreinfo="none">TIME_SEC</literal>
+
This variable holds the current second count (0-59).
Example:
@@ -2969,7 +3148,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TIME_WDAY</literal>
+
+ <literal moreinfo="none">TIME_WDAY</literal>
+
This variable holds the current weekday (0-6). Example: this rule
would trigger only on week-ends (Saturday and Sunday).
@@ -2978,7 +3159,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TIME_YEAR</literal>
+
+ <literal moreinfo="none">TIME_YEAR</literal>
+
This variable holds the current four-digit year data.
Example:
@@ -2987,7 +3170,9 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
- <literal moreinfo="none">TX</literal>
+
+ <literal moreinfo="none">TX</literal>
+
Transaction Collection. This is used to store pieces of data,
create a transaction anomaly score, and so on. Transaction variables are
@@ -3015,11 +3200,6 @@ SecAction setsid:%{REQUEST_COOKIES.PHPSESSID}
moreinfo="none">@rx operator with capturing parens and the
capture action.
-
-
- TX:LAST_MATCHED_VAR_NAME -
- The full name of the variable that was matched against.
-
SecRule WEBSERVER_ERROR_LOG "does not exist" "phase:5,pass, TX:SCORE "@gt 20" deny,log
- <literal moreinfo="none">USERID</literal>
+
+ <literal moreinfo="none">USERID</literal>
+
This variable is the value set with setuid. Example:
@@ -3038,7 +3220,9 @@ SecRule USERID "Admin"
- <literal moreinfo="none">WEBAPPID</literal>
+
+ <literal moreinfo="none">WEBAPPID</literal>
+
This variable is the value set with SecWebAppId. Example:
@@ -3049,7 +3233,9 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"
- <literal moreinfo="none">WEBSERVER_ERROR_LOG</literal>
+
+ <literal moreinfo="none">WEBSERVER_ERROR_LOG</literal>
+
Contains zero or more error messages produced by the web server.
Access to this variable is in phase:5 (logging). Example:
@@ -3058,7 +3244,9 @@ SecRule REQUEST_HEADERS:Transfer-Encoding "!^$"
- <literal moreinfo="none">XML</literal>
+
+ <literal moreinfo="none">XML</literal>
+
Can be used standalone (as a target for validateDTD and
validateSchema) or with an XPath expression parameter (which makes it a
@@ -3129,14 +3317,17 @@ SecRule XML:/xq:employees/employee/name/text()
- XPath
- Standard
+
+ XPath Standard
+
- XPath
- Tutorial
+
+ XPath
+ Tutorial
+