Add the "capture" action to the rules?

As for documenting each rule, we want the to happen as part of the CRS project.

-B

--
Brian Rectanus
Breach Security

-----Original Message-----
From: jaylam@jetco.com.hk [jaylam@jetco.com.hk]
Received: 6/24/10 8:44 PM
To: mod-security-users@lists.sourceforge.net [mod-security-users@lists.sourceforge.net]
Subject: [mod-security-users] logdata


Hi all,

i am using ModSecurity 2.5.11

I wanna find out the piece of data that hit my rule in the audit log, so i
add logdata:'%{TX.0}' in the rule just like the rules in
modsecurity_crs_41_phpids_filters.conf do.

However, they fail to log in piece of data, i can only found  [data ""] in
the audit log.

I wonder why only  the rules in modsecurity_crs_41_phpids_filters.conf can
log the piece of data that trigger the rule but othe can not?

I have try to add that in modsecurity_crs_20_protocol_violations.conf(
Multipart parser detected a possible unmatched boundary.) , and
modsecurity_crs_35_bad_robots.conf (990012)

Moreover, i wanna know if there is any offical document or descriptions
about the purpose of every rule set?

Thanks a lot!

Jay

This e-mail is intended solely for the addressee.  If you have received
this e-mail in error, please notify the sender by reply e-mail and
immediately delete it from your system.


------------------------------------------------------------------------------
ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________
mod-security-users mailing list
mod-security-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mod-security-users
Commercial ModSecurity Appliances, Rule Sets and Support:
http://www.modsecurity.org/breach/index.html