[Owasp-modsecurity-core-rule-set] a question about TX:'/REGEXP/' syntax

Josh Amishav-Zlatin jamuse at gmail.com
Sun Dec 4 08:08:03 EST 2011


On Sun, Dec 4, 2011 at 2:49 PM, Tzury Bar Yochay
<tzury.by at reguluslabs.com> wrote:
> Hi,
>
> I wonder what is the meaning of rules in the following structure:
>
>     &TX:'/REGEXP/'

Hi Tzury,

Like any other collection, you can limit the search inside that
collection via regex. For example, if you wanted to check there is at
least one variable whose name includes the string Tzury inside the TX
collection you could write:

SecRule &TX:'/Tzury/' "@eq 1" "phase:2,t:none,allow"

--
 - Josh

>
> since '&' is the counter operator, and as far as I know, at least
> according to "ModSecurity Handboo" by "Ivan Ristic", TX is used to capture
> data and it range from 0 to 9.
> So I would expect a numeric parameter rather than a regular expression (e.g.
> TX:0, TX:1, etc.).
>
> Those are found all over files under '/slr_rules'.
>
> examples:
>
>     SecRule &TX:'/RFI.*ARGS:pathForArdeaCore/' "@gt 0"
>     SecRule &TX:'/RFI.*ARGS:page_include/' "@gt 0"
>     SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0"
>
> and many more...
>
>
>
>
> _______________________________________________
> Owasp-modsecurity-core-rule-set mailing list
> Owasp-modsecurity-core-rule-set at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
>


More information about the Owasp-modsecurity-core-rule-set mailing list