A collection containing the arguments passed in the request. This includes both, arguments passed via the query string (for example, in the form GET /?name=value) as well as those passed via POST requests.

Example: ARGS:username

Note that the collection only contains the value parts of the arguments. To get access to the name parts, use ARGS_NAMES. ARGS can be used on its own (without specifying a name), in which case it refers to all argument values.

The combined size of all arguments. In the example where the arguments are name=value, the combined size would be 9.

A collection containing the name parts of the name=value pairs of the arguments. ARGS_NAMES can be used by itself, in which case it refers to all of the name parts in the passed argument list.

A collection containing only argument values passed in a GET request.

A collection containing only argument names passed in a GET request.

A collection containing only argument values passed in a POST request. Only available if SecRequestBodyAccess has been set to On.

A collection containing only the argument names passed in a POST request. Only available if SecRequestBodyAccess has been set to On.

Contains the authentication method used to validate a user (for example, Basic, Digest).

A collection that contains the value of variables previously set using the setenv action.

A collection with the names of the files that were uploaded as part of a POST request, as they appeared on the client's system.

The combined total size of any uploaded files.

Contains a list of the form fields used for file uploads.

A collection containing the file sizes of any intercepted files uploaded via a HTTP POST request.

A collection containing the filenames of any intercepted files uploaded via a HTTP POST request.

A collection that is initialized when you use the @geoLookup operator. Only works when you have a geographical database in place. For more information and all the fields contained in this collection, see the section GEO Collection Fields in Chapter 2.

Contains the highest severity of the rules that have matched so far, as specified by using the severity action in rules. The value is set to 255 if no severity has been set by any rules.

The value of the variable that was matched.

The name of the variable that was matched.

Contains the ModSecurity build number. You can use this in conjunction with the skipAfter action to ensure that a ModSecurity rule is only used if the current ModSecurity can handle the syntax of the rule.

Set to 1 when a client mixes the use of CRLF and LF as line terminators in a multi-part POST request.

Set to 1 if a multi-part POST request is formatted in a non-standard way. This can be a sign of someone trying to evade the web application firewall.

Set to 1 when ModSecurity detects that a multipart POST request contains an unmatched boundary.

Contains the additional path info passed to a dynamic web page.

The full query string. To access individual name/value pairs in the query string, use the ARGS or ARGS_GET collection.

The remote user's IP address.

If the Apache configuration directive HostNameLookups is set to On then this contains the remote user's hostname, otherwise it contains the remote IP address.

The port number used on the remote user's end of the connection.

Contains the user name of the authenticated user.

The name of the request body processor module used.

Set to 1 if an error occurs parsing a request body.

Error message from the request body parser.

The filename part of a request URI.

Example: If the request URI is /products/index.jsp, REQUEST_BASENAME is set to index.jsp.

The HTTP request body. Only available in phase 2 and later, and only if SecRequestBodyAccess has been set to On.

A collection containing the cookie data sent by the client.

A collection containing the names of the cookies sent by the client.

The filename part of the request, i.e. REQUEST_URI minus any query string.

Example: /index.html

A collection containing all the request headers sent by the client.

Example usage: SecRule REQUEST_HEADERS:User-Agent

A collection containing the names of the request headers sent, for example the Host part of the header Host: www.example.com.

The complete request line sent by the client.

Example: GET / HTTP/1.1

The HTTP request method used by the client, for example GET or POST.

The protocol and version number used by the client.

Example: HTTP/1.1

The request URI, including the full query string.

Example: /index.php?username=john

Almost the same as REQUEST_URI—this variable will also contain the domain name of the server if it was specified in the client's GET request.

Example, http://www.example.com/index.php?username=john.

The HTTP response body. The response body is only available in phases 4 and 5, and only if SecResponseBodyAccess is set to On and the response body is of a MIME type for which buffering is enabled (as defined by SecResponseBodyMimeType).

The response body length in bytes. If ModSecurity cannot determine the size of the response body, this variable is set to 0.

The content type of the HTTP response, for example text/plain.

The HTTP response headers. Some headers may not be available until phase 5 (logging).

A collection containing the response header names.

Contains protocol information for the response, for example HTTP/1.0.

The HTTP status code for the response. This may not be available in all rule processing phases.

A collection that gives access to the id, rev, severity, logdata, and msg fields of the rule that triggered the action.

The filename part of SCRIPT_FILENAME.

Example: login.php

The full filename to the script (file) that was requested by the client.

Example: /home/www/login.php

The group ID of the group the owner of the requested file belongs to.

The group name of the group the owner of the requested file belongs to.

The permission mode of the requested file (for example, 744).

The user ID of the owner of the requested file.

The username of the user that the requested file belongs to.

Example: apache

The IP address of the web server.

The hostname of the web server. The value of this variable is taken from the Host: header specified by the client when making the HTTP request.

The port number used by the web server.

A collection, to be used for storing session data. Available only after the setsid action has been used.

Contains the value previously set by using the ModSecurity action setsid.

A string with the current time, formatted as a 24-hour clock (hh:mm:ss).

The current day of the month (1-31).

Number of seconds elapsed since January 1st, 1970. This is known as "Unix time" and is a timestamp that is used by Unix and Linux systems.

The current hour, in 24-hour format (0-23).

The current minute (0-59).

The current month, represented as a number from 0 to 11, where 0 is January and 11 is December.

The current second count (0-59).

The current weekday, represented as a number from 0 to 6, where 0 is Sunday and 6 is Saturday.

The current year, in four-digit format, for example, 2009.

This is the transaction collection. It can be used in conjunction with setvar to store data that you need access to later. The data in TX only survives the current transaction.

Example usage: SecRule "secret" "setvar:tx.host=%{REMOTE_HOST}"

Contains the value previously set by using the ModSecurity action setuid.

Contains the value previously set using the SecWebAppId directive.

If any error messages were generated by Apache when processing the request, these are available in this string. This variable can only be accessed in phase 5 (logging).

Gives access to XML data passed in the request body. Supports XPath expressions. Useful for securing web services that use the SOAP protocol.