You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: crowdsec-docs/docs/appsec/rules_syntax.md
+10-8Lines changed: 10 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -67,14 +67,17 @@ The target allows to specify which part of the requests needs to be inspected. Y
67
67
- `ARGS_NAMES`: Name of the query string parameters
68
68
- `BODY_ARGS`: Body args
69
69
- `BODY_ARGS_NAMES`: Name of the body args
70
+
- `COOKIES`: Cookies sent in the request
71
+
- `COOKIES_NAMES`: Names of the cookies sent in the request
70
72
- `HEADERS`: HTTP headers sent in the request
71
73
- `HEADERS_NAMES`: Name of the HTTP headers sent in the request
72
74
- `METHOD`: HTTP method of the request
73
75
- `PROTOCOL`: HTTP protocol used in the query (HTTP/1.0, HTTP/1.1, ...)
74
76
- `URI`: The URI of the request
75
77
- `URI_FULL`: The full URL of the request including the query string
76
78
- `RAW_BODY`: The entire body of the request
77
-
- `FILENAMES`: The name of the files sent in the request
79
+
- `FILENAMES`The name of the files sent in the request
80
+
- `FILES_TOTAL_SIZE`: Total size of the uploaded files in the request,
78
81
- _(optional)_ `variables` containing one or more variable names to restrict the matching operation to (only relevant for `ARGS`, `BODY_ARGS` and `HEADERS`)
79
82
80
83
```yaml
@@ -94,11 +97,12 @@ The target allows to specify which part of the requests needs to be inspected. Y
94
97
:::info
95
98
96
99
The default config `crowdsecurity/base-config` enables specific decoders when the following content-types are set:
97
-
- **application/x-www-form-urlencoded**
98
-
- **multipart/form-data**
99
-
- **application/xml**
100
-
- **application/json** : when used, all the variable names are prefixed with `json.`
101
-
- **text/xml**
100
+
101
+
- **application/x-www-form-urlencoded**
102
+
- **multipart/form-data**
103
+
- **application/xml**
104
+
- **application/json** : when used, all the variable names are prefixed with `json.`
105
+
- **text/xml**
102
106
103
107
:::
104
108
@@ -157,7 +161,6 @@ Match provides the pattern to match the target against, including optional trans
157
161
value: BLAH
158
162
```
159
163
160
-
161
164
### Seclang Support
162
165
163
166
In order to support your existing/legacy rules set, CrowdSec's AppSec Component is also able to load rules in the **seclang** format (**ModSecurity** rules).
@@ -177,7 +180,6 @@ The default paths for the data directory per OS:
0 commit comments