[Mod-security-developers] rule 921170

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

hi,

SecRule ARGS_NAMES "@rx ." \
&nbsp; &nbsp; "id:921170,\
&nbsp; &nbsp; phase:2,\
&nbsp; &nbsp; pass,\
&nbsp; &nbsp; nolog,\
&nbsp; &nbsp; tag:'application-multi',\
&nbsp; &nbsp; tag:'language-multi',\
&nbsp; &nbsp; tag:'platform-multi',\
&nbsp; &nbsp; tag:'attack-protocol',\
&nbsp; &nbsp; tag:'paranoia-level/3',\
&nbsp; &nbsp; tag:'OWASP_CRS',\
&nbsp; &nbsp; tag:'capec/1000/152/137/15/460',\
&nbsp; &nbsp; ver:'OWASP_CRS/3.4.0-dev',\
&nbsp; &nbsp; setvar:'TX.paramcounter_%{MATCHED_VAR_NAME}=+1'"

The rule generate only one variable named&nbsp; TX.paramcount_ARGS_NAMES, and assigned the count item in&nbsp; ARGS_NAMES.&nbsp;
but this should not be the target I think. because the target is to find duplicate parameters.
It should generate a different variable named TX.paramcount_xxx for every variable name,&nbsp; xxx is the variable name.
The value is TX.paramcount_xxx is the count of xxx in ARGS_NAMES.&nbsp; &nbsp;same variable name can exist&nbsp; in ARGS_NAMES multiple times. for example http://www.baidu.com?ab=3&amp;ab=6

my understanding is wrong?

huiming
thanks