Adds support to ctl:ruleEngine

2025-08-13 13:26:01 +03:00 · 2017-07-27 21:48:56 -03:00 · 2017-07-27 21:48:56 -03:00 · 4bec6b0019
commit 4bec6b0019
parent 1f1e8324b1
11 changed files with 1631 additions and 1562 deletions
--- a/headers/modsecurity/transaction.h
+++ b/headers/modsecurity/transaction.h
@ -325,6 +325,8 @@ class Transaction : public TransactionAnchoredVariables {
 #endif
    void serverLog(std::shared_ptr<RuleMessage> rm);

+    int getRuleEngineState();
+
    std::string toJSON(int parts);
    std::string toOldAuditLogFormat(int parts, const std::string &trailer);
    std::string toOldAuditLogFormatIndex(const std::string &filename,
@ -521,6 +523,8 @@ class Transaction : public TransactionAnchoredVariables {
    RequestBodyProcessor::XML *m_xml;
    RequestBodyProcessor::JSON *m_json;

+    int m_secRuleEngine;
+
    std::string m_variableDuration;
    std::map<std::string, std::string> m_variableEnvs;
    std::string m_variableHighestSeverityAction;
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -105,6 +105,7 @@ ACTIONS = \
 	actions/capture.cc \
 	actions/chain.cc \
 	actions/ctl/audit_log_parts.cc \
+	actions/ctl/rule_engine.cc \
 	actions/ctl/request_body_processor_json.cc \
 	actions/ctl/request_body_processor_xml.cc \
 	actions/ctl/rule_remove_target_by_tag.cc \
--- a/src/actions/ctl/rule_engine.cc
+++ b/src/actions/ctl/rule_engine.cc
@ -0,0 +1,62 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include "src/actions/ctl/rule_engine.h"
+
+#include <iostream>
+#include <string>
+
+#include "modsecurity/rules_properties.h"
+#include "modsecurity/transaction.h"
+
+namespace modsecurity {
+namespace actions {
+namespace ctl {
+
+
+bool RuleEngine::init(std::string *error) {
+    std::string what(m_parser_payload, 11, m_parser_payload.size() - 11);
+
+    if (what == "on") {
+        m_ruleEngine = RulesProperties::EnabledRuleEngine;
+    } else if (what == "off") {
+        m_ruleEngine = RulesProperties::DisabledRuleEngine;
+    } else if (what == "detectiononly") {
+        m_ruleEngine = RulesProperties::DetectionOnlyRuleEngine;
+    } else {
+        error->assign("Internal error. Expected: On, Off or DetectionOnly; " \
+            "got: " + m_parser_payload);
+        return false;
+    }
+
+    return true;
+}
+
+bool RuleEngine::evaluate(Rule *rule, Transaction *transaction) {
+    std::stringstream a;
+    a << "Setting SecRuleEngine to ";
+    a << modsecurity::RulesProperties::ruleEngineStateString(m_ruleEngine);
+    a << " as requested by a ctl:ruleEngine action";
+
+    transaction->debug(8, a.str());
+
+    transaction->m_secRuleEngine = m_ruleEngine;
+    return true;
+}
+
+
+}  // namespace ctl
+}  // namespace actions
+}  // namespace modsecurity
--- a/src/actions/ctl/rule_engine.h
+++ b/src/actions/ctl/rule_engine.h
@ -0,0 +1,48 @@
+/*
+ * ModSecurity, http://www.modsecurity.org/
+ * Copyright (c) 2015 Trustwave Holdings, Inc. (http://www.trustwave.com/)
+ *
+ * You may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * If any of the files related to licensing are missing or if you have any
+ * other questions related to licensing please contact Trustwave Holdings, Inc.
+ * directly using the email address security@modsecurity.org.
+ *
+ */
+
+#include <string>
+
+#include "modsecurity/actions/action.h"
+#include "modsecurity/transaction.h"
+#include "modsecurity/rules_properties.h"
+
+
+#ifndef SRC_ACTIONS_CTL_RULE_ENGINE_H_
+#define SRC_ACTIONS_CTL_RULE_ENGINE_H_
+
+namespace modsecurity {
+namespace actions {
+namespace ctl {
+
+
+class RuleEngine : public Action {
+ public:
+    explicit RuleEngine(std::string action)
+        : Action(action, RunTimeOnlyIfMatchKind),
+        m_ruleEngine(RulesProperties::PropertyNotSetRuleEngine) { }
+
+    bool init(std::string *error) override;
+    bool evaluate(Rule *rule, Transaction *transaction) override;
+
+    RulesProperties::RuleEngine m_ruleEngine;
+};
+
+
+}  // namespace ctl
+}  // namespace actions
+}  // namespace modsecurity
+
+#endif  // SRC_ACTIONS_CTL_RULE_ENGINE_H_
--- a/src/parser/seclang-parser.cc
+++ b/src/parser/seclang-parser.cc
--- a/src/parser/seclang-parser.hh
+++ b/src/parser/seclang-parser.hh
@ -58,6 +58,7 @@ class Driver;
 #include "src/actions/chain.h"
 #include "src/actions/ctl/audit_log_parts.h"
 #include "src/actions/ctl/request_body_access.h"
+#include "src/actions/ctl/rule_engine.h"
 #include "src/actions/ctl/request_body_processor_json.h"
 #include "src/actions/ctl/request_body_processor_xml.h"
 #include "src/actions/ctl/rule_remove_by_id.h"
@ -367,7 +368,7 @@ using modsecurity::operators::Operator;



-#line 371 "seclang-parser.hh" // lalr1.cc:377
+#line 372 "seclang-parser.hh" // lalr1.cc:377

 # include <cassert>
 # include <cstdlib> // std::abort
@ -444,7 +445,7 @@ using modsecurity::operators::Operator;


 namespace yy {
-#line 448 "seclang-parser.hh" // lalr1.cc:377
+#line 449 "seclang-parser.hh" // lalr1.cc:377



@ -624,7 +625,6 @@ namespace yy {
      // "ACTION_CTL_BDY_XML"
      // "ACTION_CTL_FORCE_REQ_BODY_VAR"
      // "ACTION_CTL_REQUEST_BODY_ACCESS"
-      // "ACTION_CTL_RULE_ENGINE"
      // "ACTION_CTL_RULE_REMOVE_BY_ID"
      // "ACTION_CTL_RULE_REMOVE_TARGET_BY_ID"
      // "ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG"
@ -940,20 +940,20 @@ namespace yy {
        TOK_SETVAR_OPERATION_EQUALS_PLUS = 345,
        TOK_SETVAR_OPERATION_EQUALS_MINUS = 346,
        TOK_NOT = 347,
-        TOK_ACTION_ACCURACY = 348,
-        TOK_ACTION_ALLOW = 349,
-        TOK_ACTION_APPEND = 350,
-        TOK_ACTION_AUDIT_LOG = 351,
-        TOK_ACTION_BLOCK = 352,
-        TOK_ACTION_CAPTURE = 353,
-        TOK_ACTION_CHAIN = 354,
-        TOK_ACTION_CTL_AUDIT_ENGINE = 355,
-        TOK_ACTION_CTL_AUDIT_LOG_PARTS = 356,
-        TOK_ACTION_CTL_BDY_JSON = 357,
-        TOK_ACTION_CTL_BDY_XML = 358,
-        TOK_ACTION_CTL_FORCE_REQ_BODY_VAR = 359,
-        TOK_ACTION_CTL_REQUEST_BODY_ACCESS = 360,
-        TOK_ACTION_CTL_RULE_ENGINE = 361,
+        TOK_ACTION_CTL_RULE_ENGINE = 348,
+        TOK_ACTION_ACCURACY = 349,
+        TOK_ACTION_ALLOW = 350,
+        TOK_ACTION_APPEND = 351,
+        TOK_ACTION_AUDIT_LOG = 352,
+        TOK_ACTION_BLOCK = 353,
+        TOK_ACTION_CAPTURE = 354,
+        TOK_ACTION_CHAIN = 355,
+        TOK_ACTION_CTL_AUDIT_ENGINE = 356,
+        TOK_ACTION_CTL_AUDIT_LOG_PARTS = 357,
+        TOK_ACTION_CTL_BDY_JSON = 358,
+        TOK_ACTION_CTL_BDY_XML = 359,
+        TOK_ACTION_CTL_FORCE_REQ_BODY_VAR = 360,
+        TOK_ACTION_CTL_REQUEST_BODY_ACCESS = 361,
        TOK_ACTION_CTL_RULE_REMOVE_BY_ID = 362,
        TOK_ACTION_CTL_RULE_REMOVE_TARGET_BY_ID = 363,
        TOK_ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG = 364,
@ -1617,6 +1617,10 @@ namespace yy {
    symbol_type
    make_NOT (const location_type& l);

+    static inline
+    symbol_type
+    make_ACTION_CTL_RULE_ENGINE (const location_type& l);
+
    static inline
    symbol_type
    make_ACTION_ACCURACY (const std::string& v, const location_type& l);
@ -1669,10 +1673,6 @@ namespace yy {
    symbol_type
    make_ACTION_CTL_REQUEST_BODY_ACCESS (const std::string& v, const location_type& l);

-    static inline
-    symbol_type
-    make_ACTION_CTL_RULE_ENGINE (const std::string& v, const location_type& l);
-
    static inline
    symbol_type
    make_ACTION_CTL_RULE_REMOVE_BY_ID (const std::string& v, const location_type& l);
@ -2721,20 +2721,19 @@ namespace yy {
  {
      switch (other.type_get ())
    {
-      case 93: // "Accuracy"
-      case 94: // "Allow"
-      case 95: // "Append"
-      case 96: // "AuditLog"
-      case 97: // "Block"
-      case 98: // "Capture"
-      case 99: // "Chain"
-      case 100: // "ACTION_CTL_AUDIT_ENGINE"
-      case 101: // "ACTION_CTL_AUDIT_LOG_PARTS"
-      case 102: // "ACTION_CTL_BDY_JSON"
-      case 103: // "ACTION_CTL_BDY_XML"
-      case 104: // "ACTION_CTL_FORCE_REQ_BODY_VAR"
-      case 105: // "ACTION_CTL_REQUEST_BODY_ACCESS"
-      case 106: // "ACTION_CTL_RULE_ENGINE"
+      case 94: // "Accuracy"
+      case 95: // "Allow"
+      case 96: // "Append"
+      case 97: // "AuditLog"
+      case 98: // "Block"
+      case 99: // "Capture"
+      case 100: // "Chain"
+      case 101: // "ACTION_CTL_AUDIT_ENGINE"
+      case 102: // "ACTION_CTL_AUDIT_LOG_PARTS"
+      case 103: // "ACTION_CTL_BDY_JSON"
+      case 104: // "ACTION_CTL_BDY_XML"
+      case 105: // "ACTION_CTL_FORCE_REQ_BODY_VAR"
+      case 106: // "ACTION_CTL_REQUEST_BODY_ACCESS"
      case 107: // "ACTION_CTL_RULE_REMOVE_BY_ID"
      case 108: // "ACTION_CTL_RULE_REMOVE_TARGET_BY_ID"
      case 109: // "ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG"
@ -2961,20 +2960,19 @@ namespace yy {
    (void) v;
      switch (this->type_get ())
    {
-      case 93: // "Accuracy"
-      case 94: // "Allow"
-      case 95: // "Append"
-      case 96: // "AuditLog"
-      case 97: // "Block"
-      case 98: // "Capture"
-      case 99: // "Chain"
-      case 100: // "ACTION_CTL_AUDIT_ENGINE"
-      case 101: // "ACTION_CTL_AUDIT_LOG_PARTS"
-      case 102: // "ACTION_CTL_BDY_JSON"
-      case 103: // "ACTION_CTL_BDY_XML"
-      case 104: // "ACTION_CTL_FORCE_REQ_BODY_VAR"
-      case 105: // "ACTION_CTL_REQUEST_BODY_ACCESS"
-      case 106: // "ACTION_CTL_RULE_ENGINE"
+      case 94: // "Accuracy"
+      case 95: // "Allow"
+      case 96: // "Append"
+      case 97: // "AuditLog"
+      case 98: // "Block"
+      case 99: // "Capture"
+      case 100: // "Chain"
+      case 101: // "ACTION_CTL_AUDIT_ENGINE"
+      case 102: // "ACTION_CTL_AUDIT_LOG_PARTS"
+      case 103: // "ACTION_CTL_BDY_JSON"
+      case 104: // "ACTION_CTL_BDY_XML"
+      case 105: // "ACTION_CTL_FORCE_REQ_BODY_VAR"
+      case 106: // "ACTION_CTL_REQUEST_BODY_ACCESS"
      case 107: // "ACTION_CTL_RULE_REMOVE_BY_ID"
      case 108: // "ACTION_CTL_RULE_REMOVE_TARGET_BY_ID"
      case 109: // "ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG"
@ -3267,20 +3265,19 @@ namespace yy {
    // Type destructor.
    switch (yytype)
    {
-      case 93: // "Accuracy"
-      case 94: // "Allow"
-      case 95: // "Append"
-      case 96: // "AuditLog"
-      case 97: // "Block"
-      case 98: // "Capture"
-      case 99: // "Chain"
-      case 100: // "ACTION_CTL_AUDIT_ENGINE"
-      case 101: // "ACTION_CTL_AUDIT_LOG_PARTS"
-      case 102: // "ACTION_CTL_BDY_JSON"
-      case 103: // "ACTION_CTL_BDY_XML"
-      case 104: // "ACTION_CTL_FORCE_REQ_BODY_VAR"
-      case 105: // "ACTION_CTL_REQUEST_BODY_ACCESS"
-      case 106: // "ACTION_CTL_RULE_ENGINE"
+      case 94: // "Accuracy"
+      case 95: // "Allow"
+      case 96: // "Append"
+      case 97: // "AuditLog"
+      case 98: // "Block"
+      case 99: // "Capture"
+      case 100: // "Chain"
+      case 101: // "ACTION_CTL_AUDIT_ENGINE"
+      case 102: // "ACTION_CTL_AUDIT_LOG_PARTS"
+      case 103: // "ACTION_CTL_BDY_JSON"
+      case 104: // "ACTION_CTL_BDY_XML"
+      case 105: // "ACTION_CTL_FORCE_REQ_BODY_VAR"
+      case 106: // "ACTION_CTL_REQUEST_BODY_ACCESS"
      case 107: // "ACTION_CTL_RULE_REMOVE_BY_ID"
      case 108: // "ACTION_CTL_RULE_REMOVE_TARGET_BY_ID"
      case 109: // "ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG"
@ -3513,20 +3510,19 @@ namespace yy {
    super_type::move(s);
      switch (this->type_get ())
    {
-      case 93: // "Accuracy"
-      case 94: // "Allow"
-      case 95: // "Append"
-      case 96: // "AuditLog"
-      case 97: // "Block"
-      case 98: // "Capture"
-      case 99: // "Chain"
-      case 100: // "ACTION_CTL_AUDIT_ENGINE"
-      case 101: // "ACTION_CTL_AUDIT_LOG_PARTS"
-      case 102: // "ACTION_CTL_BDY_JSON"
-      case 103: // "ACTION_CTL_BDY_XML"
-      case 104: // "ACTION_CTL_FORCE_REQ_BODY_VAR"
-      case 105: // "ACTION_CTL_REQUEST_BODY_ACCESS"
-      case 106: // "ACTION_CTL_RULE_ENGINE"
+      case 94: // "Accuracy"
+      case 95: // "Allow"
+      case 96: // "Append"
+      case 97: // "AuditLog"
+      case 98: // "Block"
+      case 99: // "Capture"
+      case 100: // "Chain"
+      case 101: // "ACTION_CTL_AUDIT_ENGINE"
+      case 102: // "ACTION_CTL_AUDIT_LOG_PARTS"
+      case 103: // "ACTION_CTL_BDY_JSON"
+      case 104: // "ACTION_CTL_BDY_XML"
+      case 105: // "ACTION_CTL_FORCE_REQ_BODY_VAR"
+      case 106: // "ACTION_CTL_REQUEST_BODY_ACCESS"
      case 107: // "ACTION_CTL_RULE_REMOVE_BY_ID"
      case 108: // "ACTION_CTL_RULE_REMOVE_TARGET_BY_ID"
      case 109: // "ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG"
@ -4370,6 +4366,12 @@ namespace yy {
    return symbol_type (token::TOK_NOT, l);
  }

+  seclang_parser::symbol_type
+  seclang_parser::make_ACTION_CTL_RULE_ENGINE (const location_type& l)
+  {
+    return symbol_type (token::TOK_ACTION_CTL_RULE_ENGINE, l);
+  }
+
  seclang_parser::symbol_type
  seclang_parser::make_ACTION_ACCURACY (const std::string& v, const location_type& l)
  {
@ -4448,12 +4450,6 @@ namespace yy {
    return symbol_type (token::TOK_ACTION_CTL_REQUEST_BODY_ACCESS, v, l);
  }

-  seclang_parser::symbol_type
-  seclang_parser::make_ACTION_CTL_RULE_ENGINE (const std::string& v, const location_type& l)
-  {
-    return symbol_type (token::TOK_ACTION_CTL_RULE_ENGINE, v, l);
-  }
-
  seclang_parser::symbol_type
  seclang_parser::make_ACTION_CTL_RULE_REMOVE_BY_ID (const std::string& v, const location_type& l)
  {
@ -5555,7 +5551,7 @@ namespace yy {


 } // yy
-#line 5559 "seclang-parser.hh" // lalr1.cc:377
+#line 5555 "seclang-parser.hh" // lalr1.cc:377



--- a/src/parser/seclang-parser.yy
+++ b/src/parser/seclang-parser.yy
@ -24,6 +24,7 @@ class Driver;
 #include "src/actions/chain.h"
 #include "src/actions/ctl/audit_log_parts.h"
 #include "src/actions/ctl/request_body_access.h"
+#include "src/actions/ctl/rule_engine.h"
 #include "src/actions/ctl/request_body_processor_json.h"
 #include "src/actions/ctl/request_body_processor_xml.h"
 #include "src/actions/ctl/rule_remove_by_id.h"
@ -441,7 +442,9 @@ using modsecurity::operators::Operator;
  SETVAR_OPERATION_EQUALS_PLUS
  SETVAR_OPERATION_EQUALS_MINUS
  NOT                                          "NOT"
-  ;
+
+  ACTION_CTL_RULE_ENGINE                       "ACTION_CTL_RULE_ENGINE"
+;

 %token <std::string>
  ACTION_ACCURACY                              "Accuracy"
@ -457,7 +460,6 @@ using modsecurity::operators::Operator;
  ACTION_CTL_BDY_XML                           "ACTION_CTL_BDY_XML"
  ACTION_CTL_FORCE_REQ_BODY_VAR                "ACTION_CTL_FORCE_REQ_BODY_VAR"
  ACTION_CTL_REQUEST_BODY_ACCESS               "ACTION_CTL_REQUEST_BODY_ACCESS"
-  ACTION_CTL_RULE_ENGINE                       "ACTION_CTL_RULE_ENGINE"
  ACTION_CTL_RULE_REMOVE_BY_ID                 "ACTION_CTL_RULE_REMOVE_BY_ID"
  ACTION_CTL_RULE_REMOVE_TARGET_BY_ID          "ACTION_CTL_RULE_REMOVE_TARGET_BY_ID"
  ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG         "ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG"
@ -2087,18 +2089,15 @@ act:
      }
    | ACTION_CTL_RULE_ENGINE CONFIG_VALUE_ON
      {
-        //ACTION_NOT_SUPPORTED("CtlRuleEngine", @0);
-        ACTION_CONTAINER($$, new actions::Action($1));
+        ACTION_CONTAINER($$, new actions::ctl::RuleEngine("ctl:RuleEngine=on"));
      }
    | ACTION_CTL_RULE_ENGINE CONFIG_VALUE_OFF
      {
-        //ACTION_NOT_SUPPORTED("CtlRuleEngine", @0);
-        ACTION_CONTAINER($$, new actions::Action($1));
+        ACTION_CONTAINER($$, new actions::ctl::RuleEngine("ctl:RuleEngine=off"));
      }
    | ACTION_CTL_RULE_ENGINE CONFIG_VALUE_DETC
      {
-        //ACTION_NOT_SUPPORTED("CtlRuleEngine", @0);
-        ACTION_CONTAINER($$, new actions::Action($1));
+        ACTION_CONTAINER($$, new actions::ctl::RuleEngine("ctl:RuleEngine=detectiononly"));
      }
    | ACTION_CTL_RULE_REMOVE_BY_ID
      {
--- a/src/parser/seclang-scanner.cc
+++ b/src/parser/seclang-scanner.cc
--- a/src/parser/seclang-scanner.ll
+++ b/src/parser/seclang-scanner.ll
@ -415,7 +415,7 @@ EQUALS_MINUS                            (?i:=\-)
 {ACTION_CTL_BDY_XML}                                                    { return p::make_ACTION_CTL_BDY_XML(yytext, *driver.loc.back()); }
 {ACTION_CTL_FORCE_REQ_BODY_VAR}=                                        { return p::make_ACTION_CTL_FORCE_REQ_BODY_VAR(yytext, *driver.loc.back()); }
 {ACTION_CTL_REQUEST_BODY_ACCESS}=                                       { return p::make_ACTION_CTL_REQUEST_BODY_ACCESS(yytext, *driver.loc.back()); }
-{ACTION_CTL_RULE_ENGINE}=                                               { return p::make_ACTION_CTL_RULE_ENGINE(yytext, *driver.loc.back()); }
+{ACTION_CTL_RULE_ENGINE}=                                               { return p::make_ACTION_CTL_RULE_ENGINE(*driver.loc.back()); }
 {ACTION_CTL_RULE_REMOVE_BY_ID}[=]{REMOVE_RULE_BY}                       { return p::make_ACTION_CTL_RULE_REMOVE_BY_ID(yytext, *driver.loc.back()); }
 {ACTION_CTL_RULE_REMOVE_TARGET_BY_ID}[=]{REMOVE_RULE_BY}                { return p::make_ACTION_CTL_RULE_REMOVE_TARGET_BY_ID(yytext, *driver.loc.back()); }
 {ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG}[=]{REMOVE_RULE_BY}               { return p::make_ACTION_CTL_RULE_REMOVE_TARGET_BY_TAG(yytext, *driver.loc.back()); }
--- a/src/rule.cc
+++ b/src/rule.cc
@ -641,7 +641,7 @@ void Rule::executeActionsAfterFullMatch(Transaction *trans,
            continue;
        }

-        if (trans->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine) {
+        if (trans->getRuleEngineState() == Rules::EnabledRuleEngine) {
            trans->debug(4, "(SecDefaultAction) " \
                "Running action: " + a->m_name + \
                " (rule _does not_ contains a " \
@ -665,7 +665,7 @@ void Rule::executeActionsAfterFullMatch(Transaction *trans,
            }
            continue;
        }
-        if (trans->m_rules->m_secRuleEngine == Rules::EnabledRuleEngine) {
+        if (trans->getRuleEngineState() == Rules::EnabledRuleEngine) {
            trans->debug(4, "Running (disruptive) action: " + a->m_name);
            a->evaluate(this, trans, ruleMessage);
            continue;
--- a/src/transaction.cc
+++ b/src/transaction.cc
@ -120,6 +120,7 @@ Transaction::Transaction(ModSecurity *ms, Rules *rules, void *logCbData)
    m_creationTimeStamp(utils::cpu_seconds()),
    m_logCbData(logCbData),
    m_ms(ms),
+    m_secRuleEngine(RulesProperties::PropertyNotSetRuleEngine),
    m_collections(ms->m_global_collection, ms->m_ip_collection,
        ms->m_session_collection, ms->m_user_collection,
        ms->m_resource_collection),
@ -468,7 +469,7 @@ int Transaction::processRequestHeaders() {
    debug(4, "Starting phase REQUEST_HEADERS.  (SecRules 1)");
 #endif

-    if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) {
+    if (getRuleEngineState() == Rules::DisabledRuleEngine) {
 #ifndef NO_LOGS
        debug(4, "Rule engine disabled, returning...");
 #endif
@ -642,7 +643,7 @@ int Transaction::processRequestBody() {
    debug(4, "Starting phase REQUEST_BODY. (SecRules 2)");
 #endif

-    if (m_rules->m_secRuleEngine == RulesProperties::DisabledRuleEngine) {
+    if (getRuleEngineState() == RulesProperties::DisabledRuleEngine) {
 #ifndef NO_LOGS
        debug(4, "Rule engine disabled, returning...");
 #endif
@ -928,7 +929,7 @@ int Transaction::processResponseHeaders(int code, const std::string& proto) {
    m_variableResponseStatus.set(std::to_string(code), m_variableOffset);
    m_variableResponseProtocol.set(proto, m_variableOffset);

-    if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) {
+    if (getRuleEngineState() == Rules::DisabledRuleEngine) {
 #ifndef NO_LOGS
        debug(4, "Rule engine disabled, returning...");
 #endif
@ -1053,7 +1054,7 @@ int Transaction::processResponseBody() {
    debug(4, "Starting phase RESPONSE_BODY. (SecRules 4)");
 #endif

-    if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) {
+    if (getRuleEngineState() == Rules::DisabledRuleEngine) {
 #ifndef NO_LOGS
        debug(4, "Rule engine disabled, returning...");
 #endif
@ -1233,7 +1234,7 @@ int Transaction::processLogging() {
    debug(4, "Starting phase LOGGING. (SecRules 5)");
 #endif

-    if (m_rules->m_secRuleEngine == Rules::DisabledRuleEngine) {
+    if (getRuleEngineState() == Rules::DisabledRuleEngine) {
 #ifndef NO_LOGS
        debug(4, "Rule engine disabled, returning...");
 #endif
@ -1590,7 +1591,8 @@ std::string Transaction::toJSON(int parts) {

        /* producer > engine state */
        LOGFY_ADD("secrules_engine",
-            Rules::ruleEngineStateString(m_rules->m_secRuleEngine));
+            Rules::ruleEngineStateString(
+            (RulesProperties::RuleEngine) getRuleEngineState()));

        /* producer > components */
        yajl_gen_string(g,
@ -1675,6 +1677,15 @@ void Transaction::serverLog(std::shared_ptr<RuleMessage> rm) {
 }


+int Transaction::getRuleEngineState() {
+    if (m_secRuleEngine == RulesProperties::PropertyNotSetRuleEngine) {
+        return m_rules->m_secRuleEngine;
+    }
+
+    return m_secRuleEngine;
+}
+
+
 /**
 * @name    msc_new_transaction
 * @brief   Create a new transaction for a given configuration and ModSecurity core.