[Owasp-modsecurity-core-rule-set] a question about TX:'/REGEXP/' syntax

Tzury Bar Yochay tzury.by at reguluslabs.com
Sun Dec 4 08:13:25 EST 2011


Thanks a lot Josh,

In fact, I assumed so, but that means, TX is not only indexed by 0-9,
rather with strings as well.
Is this documented anywhere? Or am I missing a key principle in here?


On Sun, Dec 4, 2011 at 3:08 PM, Josh Amishav-Zlatin <jamuse at gmail.com>wrote:

> On Sun, Dec 4, 2011 at 2:49 PM, Tzury Bar Yochay
> <tzury.by at reguluslabs.com> wrote:
> > Hi,
> >
> > I wonder what is the meaning of rules in the following structure:
> >
> >     &TX:'/REGEXP/'
>
> Hi Tzury,
>
> Like any other collection, you can limit the search inside that
> collection via regex. For example, if you wanted to check there is at
> least one variable whose name includes the string Tzury inside the TX
> collection you could write:
>
> SecRule &TX:'/Tzury/' "@eq 1" "phase:2,t:none,allow"
>
> --
>  - Josh
>
> >
> > since '&' is the counter operator, and as far as I know, at least
> > according to "ModSecurity Handboo" by "Ivan Ristic", TX is used to
> capture
> > data and it range from 0 to 9.
> > So I would expect a numeric parameter rather than a regular expression
> (e.g.
> > TX:0, TX:1, etc.).
> >
> > Those are found all over files under '/slr_rules'.
> >
> > examples:
> >
> >     SecRule &TX:'/RFI.*ARGS:pathForArdeaCore/' "@gt 0"
> >     SecRule &TX:'/RFI.*ARGS:page_include/' "@gt 0"
> >     SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0"
> >
> > and many more...
> >
> >
> >
> >
> > _______________________________________________
> > Owasp-modsecurity-core-rule-set mailing list
> > Owasp-modsecurity-core-rule-set at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-modsecurity-core-rule-set/attachments/20111204/ae444634/attachment.html 


More information about the Owasp-modsecurity-core-rule-set mailing list