Actions
Actions can be categorized into three types based on their execution timing:
- Configuration Actions: Such as
id,phase, etc., used to define rule metadata. - Match-Triggered Actions: Such as
setvar,ctl, etc., executed when a single rule matches. A “single rule” here refers to oneSecRule, not a parent-child rule chain as a whole. - Disruptive Actions: Such as
deny,allow, etc., executed after the entire rule (including chained sub-rules) completes matching, typically affecting subsequent rule processing.
| Keyword | Description |
|---|---|
id | Unique rule identifier (required) |
phase | Processing phase (1-5) |
msg | Log message |
severity | Severity level (0-7) |
tag | Rule tag |
ver | Rule version |
rev | Rule revision |
accuracy | Accuracy level (1-9) |
maturity | Maturity level (1-9) |
deny | Deny request |
drop | Drop connection |
allow | Allow request to pass |
allow:phase | Allow request to pass current phase |
allow:request | Allow the entire request to pass |
redirect | Redirect to specified URL |
pass | Continue processing subsequent rules |
block | Use default disruptive action |
log | Log to error log |
nolog | Do not log to error log |
auditlog | Log to audit log |
noauditlog | Do not log to audit log |
logdata | Log additional data |
capture | Capture regex match content |
multiMatch | Execute action for all matches |
setvar | Set variable |
expirevar | Set variable expiration time |
setenv | Set environment variable |
setuid | Set user ID |
setsid | Set session ID |
setrsc | Set resource ID |
initcol | Initialize persistent collection |
chain | Chain rules together |
skip | Skip specified number of subsequent rules |
skipAfter | Skip to a rule with specified marker |
ctl | Modify engine configuration at runtime |
exec | Execute external script or command |
status | Set HTTP response status code |
xmlns | Define XML namespace |