This section contains the variables available for use in rule writing. Some variables are actually collections—this is indicated in the description.
A collection containing the arguments passed in the request. This includes both, arguments passed via the query string (for example, in the form GET /?name=value
) as well as those passed via POST
requests.
Example: ARGS:username
Note that the collection only contains the value parts of the arguments. To get access to the name parts, use ARGS_NAMES. ARGS
can be used on its own (without specifying a name), in which case it refers to all argument values.
The combined size of all arguments. In the example where the arguments are name=value
, the combined size would be 9.
A collection containing the name parts of the name=value
pairs of the arguments. ARGS_NAMES
can be used by itself, in which case it refers to all of the name parts in the passed argument list.
A collection containing only argument values passed in a POST
request. Only available if SecRequestBodyAccess
has been set to On.
A collection containing only the argument names passed in a POST
request. Only available if SecRequestBodyAccess
has been set to On.
A collection with the names of the files that were uploaded as part of a POST
request, as they appeared on the client's system.
A collection that is initialized when you use the @geoLookup
operator. Only works when you have a geographical database in place. For more information and all the fields contained in this collection, see the section GEO Collection Fields in Chapter 2.
Contains the highest severity of the rules that have matched so far, as specified by using the severity action in rules. The value is set to 255
if no severity has been set by any rules.
Contains the ModSecurity build number. You can use this in conjunction with the skipAfter
action to ensure that a ModSecurity rule is only used if the current ModSecurity can handle the syntax of the rule.
Set to 1
when a client mixes the use of CRLF and LF as line terminators in a multi-part POST
request.
Set to 1
if a multi-part POST
request is formatted in a non-standard way. This can be a sign of someone trying to evade the web application firewall.
The full query string. To access individual name/value pairs in the query string, use the ARGS
or ARGS_GET
collection.
If the Apache configuration directive HostNameLookups
is set to On
then this contains the remote user's hostname, otherwise it contains the remote IP address.
The filename part of a request URI.
Example: If the request URI is /products/index.jsp, REQUEST_BASENAME
is set to index.jsp.
The HTTP request body. Only available in phase 2 and later, and only if SecRequestBodyAccess
has been set to On.
A collection containing the names of the request headers sent, for example the Host
part of the header Host: www.example.com
.
Almost the same as REQUEST_URI—this
variable will also contain the domain name of the server if it was specified in the client's GET
request.
Example, http://www.example.com/index.php?username=john
.
The HTTP response body. The response body is only available in phases 4 and 5, and only if SecResponseBodyAccess
is set to On
and the response body is of a MIME type for which buffering is enabled (as defined by SecResponseBodyMimeType).
The response body length in bytes. If ModSecurity cannot determine the size of the response body, this variable is set to 0.
A collection that gives access to the id, rev, severity, logdata
, and msg
fields of the rule that triggered the action.
The full filename to the script (file) that was requested by the client.
Example: /home/www/login.php
The hostname of the web server. The value of this variable is taken from the Host:
header specified by the client when making the HTTP request.
A collection, to be used for storing session data. Available only after the setsid
action has been used.
Number of seconds elapsed since January 1st, 1970. This is known as "Unix time" and is a timestamp that is used by Unix and Linux systems.
This is the transaction collection. It can be used in conjunction with setvar
to store data that you need access to later. The data in TX
only survives the current transaction.
Example usage: SecRule "secret" "setvar:tx.host=%{REMOTE_HOST}"