Matched On Variables

A short description of the information contained for each variable referenced in the Matched On field is provided below.

• ARGS: Contains:
  • All query string parameters
  • All parameters in the POST request body
• ARGS_COMBINED_SIZE: Describes the combined size for:
  • All query string parameters
  • All parameters in the POST request body
• ARGS_GET: Contains all query string parameters.
• ARGS_GET_NAMES: Contains the names of all query string parameters.
• ARGS_NAMES: Contains the names for:
  • All query string parameters
  • All parameters in the POST request body
• ARGS_POST: Contains all key-value pairs within a POST request.
• ARGS_POST_NAMES: Contains the names of all parameters in the POST request body.
• AUTH_TYPE: Describes the built-in HTTP authentication method (e.g., Basic) used to validate a user.
• DURATION: Describes the length of time, in milliseconds, it took to fulfill the request.
• ENV: Identifies an environment variable.
• FILES: Describes the original file name for a multipart/form-data (e.g., byte range) request.
• FILES_COMBINED_SIZE: Describes the total file size of the request body for a multipart/form-data (e.g., byte range) request.
• FILES_NAMES: Contains a list of form fields that were used for file upload for a multipart/form-data request.
• FULL_REQUEST: Describes the request including request headers and the request body.
• FULL_REQUEST_LENGTH: Indicates the number of bytes that may be used by FULL_REQUEST.
• FILES_SIZES: Contains a list of file sizes for a multipart/form-data (e.g., byte range) request.
• FILES_TMPNAMES: Contains a list of file names for the temporary files generated for a multipart/form-data (e.g., byte range) request.
• GEO: Contains a geographical description of the request. This variable may contain any of the following fields:
  • AREA_CODE: Identifies the area code from which the request originated. This information is only gathered for requests that originate from the United States.
  • CITY: Identifies the name of the city from which the request originated.
  • COUNTRY_CODE: Identifies the country from which the request originated through its two character country code.
  • COUNTRY_CODE3: Identifies the country from which the request originated through its country code. This code may consist of up to three characters.
  • COUNTRY_CONTINENT: Identifies the continent from which the request originated by its two character continent code (e.g., EU).
  • COUNTRY_NAME: Identifies the country from which the request originated by its name.
  • DMA_CODE: Identifies the metropolitan area code from which the request originated. This information is only gathered for requests that originate from the United States.
  • LATITUDE: Identifies the latitude from which the request originated.
  • LONGITUDE: Identifies the longitude from which the request originated.
  • POSTAL_CODE: Identifies the postal code from which the request originated.
  • REGION: Identifies the region from which the request originated by its two character region code.
    • US: Identifies a state.
    • Canada: Identifies a province.
• HIGHEST_SEVERITY: Indicates the highest threat severity assigned to the request.
• INBOUND_DATA_ERROR: Set to 1 when the request body size exceeds the corresponding profile’s Max File Size option.
• MULTIPART_CRLF_LF_LINES: Set to 1 when a multipart request (e.g., byte range request) uses mixed line terminators.
• MULTIPART_FILENAME: Contains a request’s multipart data.
• MULTIPART_NAME: Contains a request’s multipart data.
• MULTIPART_STRICT_ERROR: Set to 1 when an error is detected in the request body for a multipart/form-data (e.g., byte range) request.
• MULTIPART_UNMATCHED_BOUNDARY: Set to 1 when a faux boundary is detected within a multipart/form-data (e.g., byte range) request.
• PATH_INFO: Contains the extra path information that may be appended to a URL. For example, this variable would contain “/abc” for the following request: /index.php/abc.
• QUERY_STRING: Contains the entire raw query string defined in the request URL.
• REMOTE_ADDR: Identifies the client that submitted the request by its IP address.
• REMOTE_HOST: Identifies a host by its hostname or IP address.
• REMOTE_PORT: Contains the port defined in the request.
• REMOTE_USER: Identifies the user name of an authenticated user.
• REQBODY_ERROR: Indicates whether an error occurred during the parsing of the request body. Valid values are:
  • 0: An error was not detected.
  • 1: Error
• REQBODY_ERROR_MSG: Contains an error message if an error occurred during the parsing of the request body.
• REQBODY_PROCESSOR: Contains the name of the request body parser.
• REQUEST_BASENAME: Identifies the file name of the requested content.
• REQUEST_BODY: Contains the URL-encoded request body.
• REQUEST_BODY_LENGTH: Contains the size of the request body in bytes.
• REQUEST_COOKIES: Contains the set of request cookie values.
• REQUEST_COOKIES_NAMES: Contains the set of request cookie names.
• REQUEST_FILENAME: Identifies the request’s file name. This value does not include query strings.
• REQUEST_HEADERS: Contains a set of request header values.
• REQUEST_HEADERS_NAMES: Contains a set of request header names.
• REQUEST_LINE: Contains the request method, URL, and HTTP version.
• REQUEST_METHOD: Contains the request method.
• REQUEST_PROTOCOL: Contains the request’s HTTP version.
• REQUEST_URI: Contains the request URL starting directly after the hostname.
• REQUEST_URI_RAW: Contains the raw request URL.
• SESSION: Contains session information.
• STREAM_INPUT_BODY: Contains the raw request body.
• TX: Contains transaction information and transaction anomaly score.
• URLENCODED_ERROR: Indicates that invalid URL encoding was detected.
• USERAGENT_IP: Indicates the IP address from which the request originated.
• WEBSERVER_ERROR_LOG: Contains zero or more error messages.