[Owasp-modsecurity-core-rule-set] few questions in regards to rules

Tzury Bar Yochay tzury.by at reguluslabs.com
Tue Dec 6 21:31:30 EST 2011


While going through rule files i have gathered few questions which I
will appreciate if someone can help me with them.

1) I have seen several cases where setvar is stated without the right
part, e.g.

        SecRule TX:'/MISSING_HEADER_/' "TX\:(.*)"
"capture,t:none,setvar:!tx.%{tx.1}"

   I wonder what it means, as normally, set is in the form of x = y,
and not x, or !x in this case.

2) There seems to be a typo at line:

        SecRule REQUEST_LINE "^GET /$"
"chain,phase:2,id:981020',t:none,pass,nolog"

    There is a trailing apostrophe (') after the id

3) Few days ago I asked the following question but yet not got answer for
    When I see a rule such as

        SecRule ARGS:&category "(?i:SELECT.+FROM)" "ctl:auditLogParts=+..."

    I wonder what is the role of the ampersand, before the category, so
    far I know, '&' means counting operatoration and usually, it follows
    by a numeric operation, e.g. @eq, @ge and alike.

    However, this is a case where I see & which followed by an implicit '@rx'


Thanks in advance for your help,
Tzury


More information about the Owasp-modsecurity-core-rule-set mailing list