Add the "capture" action to the rules?

As for documenting each rule, we want the to happen as part of the CRS project.


Brian Rectanus
Breach Security

-----Original Message-----
From: []
Received: 6/24/10 8:44 PM
To: []
Subject: [mod-security-users] logdata

Hi all,

i am using ModSecurity 2.5.11

I wanna find out the piece of data that hit my rule in the audit log, so i
add logdata:'%{TX.0}' in the rule just like the rules in
modsecurity_crs_41_phpids_filters.conf do.

However, they fail to log in piece of data, i can only found  [data ""] in
the audit log.

I wonder why only  the rules in modsecurity_crs_41_phpids_filters.conf can
log the piece of data that trigger the rule but othe can not?

I have try to add that in modsecurity_crs_20_protocol_violations.conf(
Multipart parser detected a possible unmatched boundary.) , and
modsecurity_crs_35_bad_robots.conf (990012)

Moreover, i wanna know if there is any offical document or descriptions
about the purpose of every rule set?

Thanks a lot!


This e-mail is intended solely for the addressee.  If you have received
this e-mail in error, please notify the sender by reply e-mail and
immediately delete it from your system.

ThinkGeek and WIRED's GeekDad team up for the Ultimate
GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the
lucky parental unit.  See the prize list and enter to win:
mod-security-users mailing list
Commercial ModSecurity Appliances, Rule Sets and Support: