Skip to content

add COOKIES/COOKIES_NAMES/FILES_TOTAL_SIZE zones #914

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 22, 2025
Merged

add COOKIES/COOKIES_NAMES/FILES_TOTAL_SIZE zones #914

Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0a3311a
add COOKIES/COOKIES_NAMES/FILES_TOTAL_SIZE zones
blotus Oct 22, 2025
57a4fbe
typo
blotus Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions crowdsec-docs/docs/appsec/rules_syntax.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,14 +67,17 @@ The target allows to specify which part of the requests needs to be inspected. Y
- `ARGS_NAMES`: Name of the query string parameters
- `BODY_ARGS`: Body args
- `BODY_ARGS_NAMES`: Name of the body args
- `COOKIES`: Cookies sent in the request
- `COOKIES_NAMES`: Names of the cookies sent in the request
- `HEADERS`: HTTP headers sent in the request
- `HEADERS_NAMES`: Name of the HTTP headers sent in the request
- `METHOD`: HTTP method of the request
- `PROTOCOL`: HTTP protocol used in the query (HTTP/1.0, HTTP/1.1, ...)
- `URI`: The URI of the request
- `URI_FULL`: The full URL of the request including the query string
- `RAW_BODY`: The entire body of the request
- `FILENAMES`: The name of the files sent in the request
- `FILENAMES` The name of the files sent in the request
Copy link
Contributor

@buixor buixor Oct 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

missing :

- `FILES_TOTAL_SIZE`: Total size of the uploaded files in the request,
- _(optional)_ `variables` containing one or more variable names to restrict the matching operation to (only relevant for `ARGS`, `BODY_ARGS` and `HEADERS`)

```yaml
Expand All @@ -94,11 +97,12 @@ The target allows to specify which part of the requests needs to be inspected. Y
:::info

The default config `crowdsecurity/base-config` enables specific decoders when the following content-types are set:
- **application/x-www-form-urlencoded**
- **multipart/form-data**
- **application/xml**
- **application/json** : when used, all the variable names are prefixed with `json.`
- **text/xml**

- **application/x-www-form-urlencoded**
- **multipart/form-data**
- **application/xml**
- **application/json** : when used, all the variable names are prefixed with `json.`
- **text/xml**

:::

Expand Down Expand Up @@ -157,7 +161,6 @@ Match provides the pattern to match the target against, including optional trans
value: BLAH
```


### Seclang Support

In order to support your existing/legacy rules set, CrowdSec's AppSec Component is also able to load rules in the **seclang** format (**ModSecurity** rules).
Expand All @@ -177,7 +180,6 @@ The default paths for the data directory per OS:
- Freebsd: `/var/db/crowdsec/data`
- Windows: `C:\programdata\crowdsec\data`


> Example

```yaml
Expand Down