SecRuleEngine ignore DetectionOnly

[theMiddleBlue]

Describe the bug
it seems that the latest v3/master completely ignores the DetectionOnly SecRuleEngine configuration. When a rule match, I get always the default disruptive action even if SecRuleEngine is set to DetectionOnly… in the debug logs I can see the "deny" action

Logs and dumps
debug log

[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 932150) Executing operator "Rx" with param "[...cut...]" against XML:/*.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "a" (Variable: ARGS_NAMES:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "exec(/bin/bash);" (Variable: ARGS:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 0.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars cleaned.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 932160) Executing operator "PmFromFile" with param "unix-shell.data" against XML:/*.
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:urlDecodeUni: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:cmdLine: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:normalizePath: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:lowercase: "a"
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "a" (Variable: ARGS_NAMES:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:urlDecodeUni: "exec(/bin/bash);"
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:cmdLine: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:normalizePath: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9]  T (0) t:lowercase: "exec(/bin/bash) "
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "exec(/bin/bash) " (Variable: ARGS:a)
[154281330544.076301] [/?a=exec(/bin/bash);] [7] Added pm match TX.0: bin/bash
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars updated.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:msg with value: Remote Command Execution: Unix Shell Code Found
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:rce_score with value: 5
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:anomaly_score_pl1 with value: 5
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running [independent] (non-disruptive) action: setvar
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Saving variable: TX:-OWASP_CRS/WEB_ATTACK/RCE-ARGS:a with value: bin/bash
[154281330544.076301] [/?a=exec(/bin/bash);] [9] This rule severity is: 2 current transaction is: 2
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Saving msg: Remote Command Execution: Unix Shell Code Found
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 1.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: log
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Saving transaction to logs
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: auditlog
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: status
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: application-multi
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: language-shell
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: platform-unix
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: attack-rce
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: WASCTC/WASC-31
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: OWASP_TOP_10/A1
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Running (non-disruptive) action: tag
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Rule tag: PCI/6.5.2
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: block
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Marking request as disruptive.
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Running action deny
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Running action: ctl
[154281330544.076301] [/?a=exec(/bin/bash);] [8] Skipping this phase as this request was already intercepted.
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Starting phase RESPONSE_HEADERS. (SecRules 3)
[154281330544.076301] [/?a=exec(/bin/bash);] [9] This phase consists of 70 rule(s).
[154281330544.076301] [/?a=exec(/bin/bash);] [4] (Rule: 950020) Executing operator "Lt" with param "1" against TX:EXECUTING_PARANOIA_LEVEL.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Target value: "1" (Variable: TX:EXECUTING_PARANOIA_LEVEL)
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Rule returned 0.
[154281330544.076301] [/?a=exec(/bin/bash);] [9] Matched vars cleaned.

for the same request:

...
[154281330544.076301] [/?a=exec(/bin/bash);] [4] Not running disruptive action: pass. SecRuleEngine is not On.
...

don't know why for pass it skip the disruptive action and for deny not.

To Reproduce

• ModSecurity v3/master
• ModSecurity-nginx (latest)
• Nginx
• OWASP CRS 3.2/dev
• configure SecRuleEngine DetectionOnly
• configure a default action to "deny"

trigger a rule:
curl 'http://localhost/?a=exec(/bin/bash);'

Expected behavior
it should just log without executing the disruptive action

ModSecurity configure output

ModSecurity - v3.0.3-4-gcbf2fe97 for Linux

Mandatory dependencies
  + libInjection                                  ....v3.0.3-4-gcbf2fe97
  + SecLang tests                                 ....cbf2fe97

Optional dependencies
  + GeoIP/MaxMind                                 ....found 
     * (GeoIP) v1.6.12
        -lGeoIP, -I/usr/include/
  + LibCURL                                       ....found v7.58.0 
     -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
  + YAJL                                          ....found v2.1.0
     -lyajl, -DWITH_YAJL -I/usr/include/yajl
  + LMDB                                          ....not found
  + LibXML2                                       ....found v2.9.4
     -lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
  + SSDEEP                                        ....not found
  + LUA                                           ....not found

Other Options
  + Test Utilities                                ....enabled
  + SecDebugLog                                   ....enabled
  + afl fuzzer                                    ....disabled
  + library examples                              ....enabled
  + Building parser                               ....disabled
  + Treating pm operations as critical section    ....disabled

[airween]

• ModSecurity 3.0.3 (tar) - comes from Debian as package
• ModSecurity-nginx 1.0.0 (tar)
• Nginx (Debian SID version)
• the whole Nginx collection is here: https://salsa.debian.org/airween-guest/nginx/tree/modsecurity
• OWASP CRS 3.1 (tar)
• configure SecRuleEngine DetectionOnly
• configure a default action to "deny" - sorry, I didn't found any info about this

in modsecurity.conf:

SecRuleEngine DetectionOnly

libmodsecurity configure:

ModSecurity -  for Linux
 
 Mandatory dependencies
   + libInjection                                  ....
   + SecLang tests                                 ....
 
 Optional dependencies
   + GeoIP/MaxMind                                 ....found 
      * (MaxMind) v1.3.2
         -lmaxminddb, -DWITH_MAXMIND -I/usr/include/x86_64-linux-gnu
      * (GeoIP) v1.6.12
         -lGeoIP, -I/usr/include/
   + LibCURL                                       ....found v7.62.0 
      -lcurl,  -DWITH_CURL_SSLVERSION_TLSv1_2 -DWITH_CURL
   + YAJL                                          ....found v2.1.0
      -lyajl, -DWITH_YAJL -I/usr/include/yajl
   + LMDB                                          ....not found
   + LibXML2                                       ....found v2.9.4
      -lxml2, -I/usr/include/libxml2 -DWITH_LIBXML2
   + SSDEEP                                        ....found 
      -lfuzzy -L/usr/lib/x86_64-linux-gnu/, -DWITH_SSDEEP -I/usr/include
   + LUA                                           ....found v503
      -llua5.3 -L/usr/lib/x86_64-linux-gnu/, -DWITH_LUA -I/usr/include/lua5.3
 
 Other Options
   + Test Utilities                                ....enabled
   + SecDebugLog                                   ....enabled
   + afl fuzzer                                    ....disabled
   + library examples                              ....enabled
   + Building parser                               ....disabled
   + Treating pm operations as critical section    ....disabled

curl 'http://localhost/?a=exec(/bin/bash);'

nginx error_log:

2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "481"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:a: exec(/bin/bash) "] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571483.914752"] [ref "o6,8v8,16t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate (2095 characters omitted)' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "300"] [id "933160"] [rev ""] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: exec(/bin/bash) found within ARGS:a: exec(/bin/bash);"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571483.914752"] [ref "o0,15v8,16"], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571483.914752"] [ref ""], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "481"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:a: exec(/bin/bash) "] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref "o6,8v8,16t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate (2095 characters omitted)' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "300"] [id "933160"] [rev ""] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: exec(/bin/bash) found within ARGS:a: exec(/bin/bash);"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref "o0,15v8,16"], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref ""], client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"
2019/01/07 21:15:14 [info] 12932#12932: *1 ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=5,HTTP=0,SESS=0): PHP Injection Attack: High-Risk PHP Function Call Found; individual paranoia level scores: 10, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref ""] while logging request, client: ::1, server: _, request: "GET /?a=exec(/bin/bash); HTTP/1.1", host: "localhost"

modsec_audit.log:

---8CP5TlcV---A--
[07/Jan/2019:21:15:14 +0000] 154689571415.050309 ::1 52110 0.0.0.0 80
---8CP5TlcV---B--
GET /?a=exec(/bin/bash); HTTP/1.1
Host: localhost
User-Agent: curl/7.62.0
Accept: */*

---8CP5TlcV---D--

---8CP5TlcV---E--
\x0a<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" ...
...
---8CP5TlcV---F--
HTTP/1.1 200
Server: nginx/1.14.2
Date: Mon, 07 Jan 2019 21:15:14 GMT
Content-Length: 10701
Content-Type: text/html
Last-Modified: Thu, 27 Dec 2018 23:16:57 GMT
Connection: keep-alive
ETag: "5c255d69-29cd"
Accept-Ranges: bytes

---8CP5TlcV---H--
ModSecurity: Warning. Matched "Operator `PmFromFile' with parameter `unix-shell.data' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-932-APPLICATION-ATTACK-RCE.conf"] [line "481"] [id "932160"] [rev ""] [msg "Remote Command Execution: Unix Shell Code Found"] [data "Matched Data: bin/bash found within ARGS:a: exec(/bin/bash) "] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-shell"] [tag "platform-unix"] [tag "attack-rce"] [tag "OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION"] [tag "WASCTC/WASC-31"] [tag "OWASP_TOP_10/A1"] [tag "PCI/6.5.2"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref "o6,8v8,16t:urlDecodeUni,t:cmdLine,t:normalizePath,t:lowercase"]
ModSecurity: Warning. Matched "Operator `Rx' with parameter `(?i)\b(?:s(?:e(?:t(?:_(?:e(?:xception|rror)_handler|magic_quotes_runtime|include_path)|defaultstub)|ssion_s(?:et_save_handler|tart))|qlite_(?:(?:(?:unbuffered|single|array)_)?query|create_(?:aggregate (2095 characters omitted)' against variable `ARGS:a' (Value: `exec(/bin/bash);' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-933-APPLICATION-ATTACK-PHP.conf"] [line "300"] [id "933160"] [rev ""] [msg "PHP Injection Attack: High-Risk PHP Function Call Found"] [data "Matched Data: exec(/bin/bash) found within ARGS:a: exec(/bin/bash);"] [severity "2"] [ver "OWASP_CRS/3.1.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-php"] [tag "platform-multi"] [tag "attack-injection-php"] [tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "OWASP_TOP_10/A1"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref "o0,15v8,16"]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "80"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 10)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref ""]
ModSecurity: Warning. Matched "Operator `Ge' with parameter `5' against variable `TX:INBOUND_ANOMALY_SCORE' (Value: `10' ) [file "/usr/share/modsecurity-crs/rules/RESPONSE-980-CORRELATION.conf"] [line "76"] [id "980130"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=5,HTTP=0,SESS=0): PHP Injection Attack: High-Risk PHP Function Call Found; individual paranoia level scores: 10, 0, 0, 0"] [data ""] [severity "0"] [ver ""] [maturity "0"] [accuracy "0"] [tag "event-correlation"] [hostname "0.0.0.0"] [uri "/"] [unique_id "154689571415.050309"] [ref ""]

---8CP5TlcV---I--

[theMiddleBlue]

@airween could you check if your modsecurity version is v3.0.3-4-gcbf2fe97 because before this commit it works fine for me.

configure a default action to "deny" - sorry, I didn't found any info about this

configure a default action with SecDefaultAction, as you can find on the OWASP CRS config crs-setup.conf, for example:

SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

[airween]

@theMiddleBlue I'll see that soon - I just prepared the packages for Debian, and catched the released versions from all components (libmodsecurity3, ModSecurity-nginx).

Could you help me with the link of this release? I didn't found gcbf2fe97 in git log. And the version number (3.0.3-4) is also interesting for me.

The SecDefaultAction is clear now - I searched it in modsecurity.conf, sorry :).

[theMiddleBlue]

No problem, my first message was not very clear. At the time I'm writing, the version is v3.0.3-35-gcbf2fe97. I'm just compiling it with the latest modsecurity-nginx connector. I give you an update asap.

[theMiddleBlue]

Ok, I confirm that the issue is still present with version v3.0.3-35-g3c1fba27. With the drop disruptive action, the "DetectionOnly" doesn't work as expected. Following my tests (both using SecRuleEngine DetectionOnly) that shows which rules are matched by the request curl -v 'http://localhost/?a=exec("/bin/bash");':

# using disruptive action: pass
SecDefaultAction "phase:1,log,auditlog,pass"
SecDefaultAction "phase:2,log,auditlog,pass"

with the pass action, it seems work as expected to be for DetectionOnly:

• [932160] Remote Command Execution: Unix Shell Code Found
• [933160] PHP Injection Attack: High-Risk PHP Function Call Found
• [949110] Inbound Anomaly Score Exceeded (Total Score: 10)
• [980130] Inbound Anomaly Score Exceeded (Total Inbound Score: 10 - SQLI=0,XSS=0,RFI=0,LFI=0,RCE=5,PHPI=5,HTTP=0,SESS=0): PHP Injection Attack: High-Risk PHP Function Call Found; individual paranoia level scores: 10, 0, 0, 0

# using disruptive action: drop
SecDefaultAction "phase:1,log,auditlog,deny,status:403"
SecDefaultAction "phase:2,log,auditlog,deny,status:403"

with the drop action, modsecurity stop at the first rule match:

• [932160] Remote Command Execution: Unix Shell Code Found

[airween]

A possible solution:
https://github.com/airween/ModSecurity/tree/v3/issue-1960

[theMiddleBlue]

Thanks @airween

I did a test using your branch, and it seems working like a dream!

[victorhora]

A possible solution:
https://github.com/airween/ModSecurity/tree/v3/issue-1960

This looks sane to me @airween and working here too. Thanks! :)

My initial concern was if the value of it->status is expected to be filled later on and it won't be if DetectionOnlyRuleEngine is set... Can you submit a pull request to trigger the tests on the buildbots too?