From f11647e7e081aeb854e1a3f5f45949c6215c6a74 Mon Sep 17 00:00:00 2001
From: Christian Folini <email_github.com@tikon.ch>
Date: Mon, 10 Jun 2013 23:36:56 -0700
Subject: [PATCH] Explaining PERF_RULES in detail.

---
 Reference-Manual.mediawiki | 34 ++++++++++++++++++++++++++++++++--
 1 file changed, 32 insertions(+), 2 deletions(-)

diff --git a/Reference-Manual.mediawiki b/Reference-Manual.mediawiki
index 053df9e..15b4b36 100644
--- a/Reference-Manual.mediawiki
+++ b/Reference-Manual.mediawiki
@@ -2024,9 +2024,39 @@ Contains the time, in microseconds, spent processing phase 4. Available starting
 Contains the time, in microseconds, spent processing phase 5. Available starting with 2.6.
 
 == PERF_RULES ==
-Contains the time of rules, in microseconds. Available starting with 2.7.
+PERF_RULES is a collection, that is populated with the rules hitting
+the performance threshold defined with SecRulePerfTime. The collection
+contains the time, in microseconds, spent processing the individual
+rule. The various items in the collection can be accessed via the
+rule id.
+
+Available starting with 2.7.
+
+<pre>
+SecRulePerfTime            100
+
+SecRule FILES_TMPNAMES "@inspectFile /path/to/util/runav.pl" \
+  "phase:2,id:10001,deny,log,msg:'Virus scan detected an error.'"
+
+SecRule   &PERF_RULES "@eq 0"    "phase:5,id:95000,\
+  pass,log,msg:'All rules performed below processing time limit.'"
+SecRule   PERF_RULES  "@ge 1000" "phase:5,id:95001,pass,log,\
+  msg:'Rule %{MATCHED_VAR_NAME} spent at least 1000 usec.'"
+SecAction "phase:5,id:95002,pass,log, msg:'File inspection took %{PERF_RULES.10001} usec.'"
+</pre>
+
+The rule with id 10001 defines an external file inspection rule.
+The rule with id 95000 checks the size of the PERF_RULES collection.
+If the collection is empty, it writes a note in the logfile.
+Rule 95001 is executed for every item in the PERF_RULES collection.
+Every item is thus being checked against the limit of 1000 microseconds.
+If the rule spent at least that amount of time, then a note containing
+the rule id is being written to the logfile.
+The final rule 95002 notes the time spent in rule 10001 (the virus
+inspection).
+
+
 
-<code>SecRule PERF_RULES "@gt 1000" "id:12345,phase:5"</code>
 
 == PERF_SREAD ==
 Contains the time, in microseconds, spent reading from persistent storage. Available starting with 2.6.