On Sun, May 20, 2018 at 10:59:02AM -0400, Daniel Corbett wrote:
> While I haven't been able to get 'tcp-request content reject' to work with
> this configuration -- I am able to get 'http-request deny' to work:
>
> http-request deny if { var(txn.modsec.code) -m int gt 0 }
This is expected. The "tcp-request content" rules are evaluated before
HTTP rules, hence before the filters as well. Thus here the rule says
that it will reject the request based on a variable that holds its initial
value and never had a chance to be modified yet. Unfortunately there is
little we can do to detect this better, except improving the doc and
providing better config examples.
Willy
