On Sun, May 20, 2018 at 10:59:02AM -0400, Daniel Corbett wrote: > While I haven't been able to get 'tcp-request content reject' to work with > this configuration -- I am able to get 'http-request deny' to work: > > http-request deny if { var(txn.modsec.code) -m int gt 0 }
This is expected. The "tcp-request content" rules are evaluated before HTTP rules, hence before the filters as well. Thus here the rule says that it will reject the request based on a variable that holds its initial value and never had a chance to be modified yet. Unfortunately there is little we can do to detect this better, except improving the doc and providing better config examples. Willy