ModSecurity 2.x allows rules to be placed in one of the following five phases:
In order to select the phase a rule executes during, use the phase action either directly in the rule or in using the SecDefaultActions directive:
SecRule HTTP_Host "!^$" "deny,phase:1" SecDefaultAction "log,pass,phase:2"
Rules in this phase immediately after Apache completes reading the request headers. At this point the request body has not been read yet, meaning not all request arguments are available. Rules should be placed in this phase if you need to have them run early (before Apache does something with the request), to do something before the request body has been read, determine whether or not the request body should be buffered, or decide how you want the request body to be processed (e.g. whether to parse it as XML or not).
This is the general-purpose input analysis phase. Most of the application-oriented rules should go here. In this phase you are guaranteed to have received the request argument (provided
This phase takes place just before response headers are sent back to the client. Run here if you want to observe the response before that happens, and if you want to use the response headers to determine if you want to buffer the response body.
This is the general-purpose output analysis phase. At this point you can run rules against the response body (provided it was buffered, of course).