Add or remove capture as appropriate

Author: fgsch

rules/REQUEST-913-SCANNER-DETECTION.conf

@@ -60,6 +60,7 @@ SecRule REQUEST_HEADERS_NAMES|REQUEST_HEADERS "@pmf scanners-headers.data" \
     "id:913110,\
     phase:2,\
     block,\
+    capture,\
     t:none,t:lowercase,\
     msg:'Found request header associated with security scanner',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\
@@ -87,6 +88,7 @@ SecRule REQUEST_FILENAME|ARGS "@pmf scanners-urls.data" \
     "id:913120,\
     phase:2,\
     block,\
+    capture,\
     t:none,t:lowercase,\
     msg:'Found request filename/argument associated with security scanner',\
     logdata:'Matched Data: %{TX.0} found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\

rules/REQUEST-920-PROTOCOL-ENFORCEMENT.conf

@@ -1146,7 +1146,6 @@ SecRule REQUEST_HEADERS:Range|REQUEST_HEADERS:Request-Range "@rx ^bytes=(?:(?:\d
     "id:920200,\
     phase:2,\
     block,\
-    capture,\
     t:none,\
     msg:'Range: Too many fields (6 or more)',\
     logdata:'%{matched_var}',\
@@ -1173,7 +1172,6 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     "id:920201,\
     phase:2,\
     block,\
-    capture,\
     t:none,\
     msg:'Range: Too many fields for pdf request (63 or more)',\
     logdata:'%{matched_var}',\
@@ -1371,7 +1369,6 @@ SecRule REQUEST_BASENAME "@endsWith .pdf" \
     "id:920202,\
     phase:2,\
     block,\
-    capture,\
     t:none,\
     msg:'Range: Too many fields for pdf request (6 or more)',\
     logdata:'%{matched_var}',\

rules/REQUEST-941-APPLICATION-ATTACK-XSS.conf

@@ -38,6 +38,7 @@ SecRule REQUEST_COOKIES|!REQUEST_COOKIES:/__utm/|REQUEST_COOKIES_NAMES|REQUEST_H
     "id:941100,\
     phase:2,\
     block,\
+    capture,\
     t:none,t:utf8toUnicode,t:urlDecodeUni,t:htmlEntityDecode,t:jsDecode,t:cssDecode,t:removeNulls,\
     msg:'XSS Attack Detected via libinjection',\
     logdata:'Matched Data: XSS data found within %{MATCHED_VAR_NAME}: %{MATCHED_VAR}',\