Fix disruptive action flow while RuleEngine is in DetectionOnly

2025-09-29 19:24:29 +03:00 · 2015-09-17 10:49:12 -03:00
parent 490ad23e41
commit 11e1a67d58
8 changed files with 136 additions and 27 deletions
--- a/test/test-cases/regression/action-disruptive.json
+++ b/test/test-cases/regression/action-disruptive.json
@@ -5,7 +5,7 @@
    "title":"Testing Disruptive actions (1/n)",
    "expected":{
      "debug_log": " Running action: deny",
-      "http_code":403
+      "http_code":404
    },
    "rules":[
      "SecRuleEngine On",
@@ -34,7 +34,7 @@
    "version_min":300000,
    "title":"Testing Disruptive actions (3/n)",
    "expected":{
-      "debug_log": " Running action: deny",
+      "debug_log": "Running action block",
      "http_code":404
    },
    "rules":[
--- a/test/test-cases/regression/actions.json
+++ b/test/test-cases/regression/actions.json
@@ -242,14 +242,14 @@
      "SecRuleEngine On",
      "SecDebugLog \/tmp\/modsec_debug.log",
      "SecDebugLogLevel 9",
-      "SecRule ARGS \"@contains test\" \"id:1,t:trim,status:500\""
+      "SecRule ARGS \"@contains test\" \"id:1,t:trim,deny,status:500\""
    ]
  },
         {
    "enabled": 1,
    "version_min": 300000,
    "version_max": 0,
-    "title": "actions :: phase:1,trim,status:500",
+    "title": "actions :: phase:1,trim,status:500,deny",
    "client": {
      "ip": "200.249.12.31",
      "port": 2313
@@ -303,14 +303,14 @@
      "SecRuleEngine On",
      "SecDebugLog \/tmp\/modsec_debug.log",
      "SecDebugLogLevel 9",
-      "SecRule ARGS \"@contains test\" \"id:1,phase:1,t:trim,status:500\""
+      "SecRule ARGS \"@contains test\" \"id:1,phase:1,t:trim,status:500,deny\""
    ]
  },
  {
    "enabled": 1,
    "version_min": 300000,
    "version_max": 0,
-    "title": "actions :: phase:4,trim,status:500",
+    "title": "actions :: phase:4,trim,status:500,deny",
    "client": {
      "ip": "200.249.12.31",
      "port": 2313
@@ -364,7 +364,7 @@
      "SecRuleEngine On",
      "SecDebugLog \/tmp\/modsec_debug.log",
      "SecDebugLogLevel 9",
-      "SecRule ARGS \"@contains test\" \"id:1,phase:4,t:trim,status:500\""
+      "SecRule ARGS \"@contains test\" \"id:1,phase:4,t:trim,status:500,deny\""
    ]
  }
 ]
--- a/test/test-cases/regression/secruleengine.json
+++ b/test/test-cases/regression/secruleengine.json
@@ -0,0 +1,50 @@
+[
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Disruptive actions (1/n)",
+    "expected":{
+      "debug_log": " Running action: deny",
+      "http_code":404
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecRuleEngine On",
+      "SecDefaultAction \"phase:2,deny,status:404\"",
+      "SecAction \"id:'900001',phase:request,nolog,status:403,t:none\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Disruptive actions (2/n)",
+    "expected":{
+      "debug_log": "_Not_ running action: deny. Rule _does not_ contains a disruptive action, but SecRuleEngine is not On.",
+      "http_code":200
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecRuleEngine Off",
+      "SecDefaultAction \"phase:2,deny,status:404\"",
+      "SecAction \"'id:'1',phase:request,nolog,t:none\""
+    ]
+  },
+  {
+    "enabled":1,
+    "version_min":300000,
+    "title":"Testing Disruptive actions (3/n)",
+    "expected":{
+      "debug_log": "Not running disruptive action: block. SecRuleEngine is not On",
+      "http_code":200
+    },
+    "rules":[
+      "SecRuleEngine On",
+      "SecDebugLog \/tmp\/modsec_debug.log",
+      "SecRuleEngine DetectionOnly",
+      "SecDefaultAction \"phase:2,deny,status:404\"",
+      "SecAction \"id:'1',phase:request,nolog,block,t:none\""
+    ]
+  }
+]