ARGS - can be used on its own (means all arguments), with a static parameter (matches arguments with that name), or with a regular expression (matches all arguments with name that matches the regular expression). Note: ARGS:p will not result in any invocations against the operator if argument p does not exist.

ARGS_COMBINED_SIZE -

ARGS_NAMES -

REQBODY_PROCESSOR - Built-in processors are URLENCODED, MULTIPART, and XML.

REQBODY_ERROR - 0 or 1. If you want to stop processing on an error you must have an explicit rule in phase 2 to do so.

REQBODY_ERROR_MSG - empty, or contains the error message from the processor.

XML - can be used standalone (as a target for validateDTD and validateSchema) or with an XPath expression parameter (which makes it a valid target for any function that accepts plain text).

WEBSERVER_ERROR_LOG - contains zero or more error messages produced by the web server.

TX - Collection. This is where the transaction variables live.

FILES - Collection. Contains a collection of original file names (as they were called on the remote user's file system).

FILES_TMPNAMES - Collection. Contains a collection of temporary files' names on the disk. Useful when used together with @inspectFile (Note: only available if files were extracted from the request body.).

FILES_NAMES - Collection w/o parameter. Contains a list of form fields that were used for file upload.

FILES_SIZES - Collection. Contains a list of file sizes.

FILES_COMBINED_SIZE - Single value. Total size of the uploaded files.

ENV - Collection, requires a single parameter.

REMOTE_HOST -

REMOTE_ADDR -

REMOTE_PORT -

REMOTE_USER -

PATH_INFO -

QUERY_STRING -

AUTH_TYPE -

SERVER_NAME -

SERVER_ADDR -

SERVER_PORT -

TIME_YEAR -

TIME_EPOCH - time in seconds since 1970.

TIME_MON -

TIME_DAY -

TIME_HOUR -

TIME_MIN -

TIME_SEC -

TIME_WDAY -

TIME -

REQUEST_URI - (e.g. /index.php?p=X). This variable will never contain a domain name, even if it was provided on the request line. Warning: not urlDecoded.

REQUEST_URI_RAW - same as above but will contain the domain name if it was provided on the request line (e.g. http://www.example.com/index.php?p=X). Warning: not urlDecoded.

REQUEST_LINE -

REQUEST_METHOD -

REQUEST_PROTOCOL -

REQUEST_FILENAME - relative REQUEST_URI minus the QUERY_STRING part (e.g. /index.php). Warning: not urlDecoded.

REQUEST_BASENAME - just the filename part of REQUEST_FILENAME (e.g. index.php). Warning: not urlDecoded.

SCRIPT_FILENAME -

SCRIPT_BASENAME -

SCRIPT_UID -

SCRIPT_GID -

SCRIPT_USERNAME -

SCRIPT_GROUPNAME -

SCRIPT_MODE -

ENV -

REQUEST_HEADERS -

REQUEST_HEADERS_NAMES -

REQUEST_COOKIES -

REQUEST_COOKIES_NAMES -

REQUEST_BODY -

RESPONSE_LINE -

RESPONSE_STATUS -

RESPONSE_PROTOCOL -

RESPONSE_HEADERS -

RESPONSE_HEADERS_NAMES -

RESPONSE_BODY -

Special prefix HTTP_ followed by a header name can be used to access any request header.

RULE - Gives access to the id, rev, severity, and msg fields of the rule that triggered the action. Only available for expansion in action strings (e.g. setvar:tx.varname=%{rule.id})

SESSION - collection, available only after setsid is executed.

WEBAPPID - the value set with SecWebAppId.

SESSIONID - the value set with setsid.

USERID - the value set with setuid.