On Sun, Dec 4, 2011 at 3:13 PM, Tzury Bar Yochay <[email protected]> wrote: > Thanks a lot Josh, > > In fact, I assumed so, but that means, TX is not only indexed by 0-9, rather > with strings as well. > Is this documented anywhere? Or am I missing a key principle in here?
The TX collection is meant for transient data, i.e. its only available until the transaction is complete. The TX:0-TX:9 syntax allows you to access data captured via the capture action. However, not all data in the TX collection is captured data, e.g. the anomaly scores in the CRS. -- - Josh > > > On Sun, Dec 4, 2011 at 3:08 PM, Josh Amishav-Zlatin <[email protected]> > wrote: >> >> On Sun, Dec 4, 2011 at 2:49 PM, Tzury Bar Yochay >> <[email protected]> wrote: >> > Hi, >> > >> > I wonder what is the meaning of rules in the following structure: >> > >> > &TX:'/REGEXP/' >> >> Hi Tzury, >> >> Like any other collection, you can limit the search inside that >> collection via regex. For example, if you wanted to check there is at >> least one variable whose name includes the string Tzury inside the TX >> collection you could write: >> >> SecRule &TX:'/Tzury/' "@eq 1" "phase:2,t:none,allow" >> >> -- >> - Josh >> >> > >> > since '&' is the counter operator, and as far as I know, at least >> > according to "ModSecurity Handboo" by "Ivan Ristic", TX is used to >> > capture >> > data and it range from 0 to 9. >> > So I would expect a numeric parameter rather than a regular expression >> > (e.g. >> > TX:0, TX:1, etc.). >> > >> > Those are found all over files under '/slr_rules'. >> > >> > examples: >> > >> > SecRule &TX:'/RFI.*ARGS:pathForArdeaCore/' "@gt 0" >> > SecRule &TX:'/RFI.*ARGS:page_include/' "@gt 0" >> > SecRule &TX:'/RFI.*ARGS:LibDir/' "@gt 0" >> > >> > and many more... >> > >> > >> > >> > >> > _______________________________________________ >> > Owasp-modsecurity-core-rule-set mailing list >> > [email protected] >> > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> > > > _______________________________________________ Owasp-modsecurity-core-rule-set mailing list [email protected] https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
