What does ARGS, ARGS_NAMES really mean in the mod_security basic rule sets?
I already mentioned Modsecurity2 Apache Reference , but I did not get a clear idea.
Can someone give me a specific idea, preferably with an explanation that this is actually and how something actually calls the rule, as shown below.
The rule below is triggered positive for cases such as βx and 6,β etc., in general, any βandβ followed by a digit. In this case, I understand what the request file name is. what I do not understand is ARGS and ARGS_NAMES. I need a specific example with reference to the rule below.
SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?i)\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*[=]|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')\s*[<>]|\band\b ?(?:\d{1,10}|[\'\"][^=]{1,10}[\'\"]) ?[=<>]+|\b(?i:and)\b\s+(\d{1,10}|'[^=]{1,10}')" \ "phase:2,rev:'2.2.5',capture,t:none,t:urlDecodeUni,ctl:auditLogParts=+E,block,msg:'SQL Injection Attack',id:'959072',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"