diff --git a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
index 8ea03086e..6fc9dcc4a 100644
--- a/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
+++ b/rules/REQUEST-931-APPLICATION-ATTACK-RFI.conf
@@ -125,8 +125,9 @@ SecRule ARGS "@rx ^(?i)(?:file|ftps?|https?)://(.*)$" \
     rev:'3',\
     ver:'OWASP_CRS/3.0.0',\
     severity:'CRITICAL',\
+    setvar:tx.rfi_parameter_%{matched_var_name}=%{tx.1},\
     chain"
-    SecRule TX:1 "!@beginsWith %{request_headers.host}" \
+    SecRule TX:/rfi_parameter_.*/ "!@beginsWith %{request_headers.host}" \
         "setvar:'tx.msg=%{rule.msg}',\
         setvar:tx.rfi_score=+%{tx.critical_anomaly_score},\
         setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},\