The ModSecurity Reference Manual should be consulted in any cases where questions arise relating to the syntax of commands.

In terms of rule writing, the main directive to know is SecRule, which is used to create rules and thus does most of the work.

Every rule defined by SecRule conforms to the same format, as below:

SecRule VARIABLES OPERATOR [TRANSFORMATION_FUNCTIONS,ACTIONS]

The rule consists of four parts:

  • VARIABLES: Tells the WAF engine where to look in the transactional data (HTTP request and response data).
  • OPERATOR: Tells the WAF engine how to process the variable data.
  • TRANSFORMATION_FUNCTIONS: Tells the WAF engine how to normalize data before an operator is applied.
  • ACTIONS: Tells the WAF engine what to do if a rule matches.

The four parts are explained in the sections below.