The rule block function is quite complicated. This section offers further explanation of the rule block function. The following example has been taken from the Block topic (under the Actions section) of the Reference Manual on the ModSecurity Documentation page and further explanatory text has been added.

The block action is essentially a placeholder that is intended to be used by rule writers to request a blocking action, but without specifying how the blocking is to be done. The SecDefaultAction command specifies how the blocking is to be done. The block action is a placeholder that will be replaced by the action from the last SecDefaultAction in the same context.

Block Example 1

The following example shows the SecDefaultAction set to deny. The second rule will “deny” because the SecDefaultAction is set to deny.

SecDefaultAction phase:2,deny,id:101,status:403,log,auditlog
SecRule ARGS attack2 phase:2,pass,id:103
SecRule ARGS attack1 phase:2,block,id:102

Block Example 2

The following example shows the usage of the SecRuleUpdateActionById command to override how a rule handles blocking. The SecRuleUpdateActionById command allows a rule to be reverted back to the previous SecDefaultAction. In this example, the first rule (SecRule ARGS attack1 phase:2,deny,id:1) would deny based on meeting the successful conditions associated with the rule.

By using the SecRuleUpdateActionById against rule Id 1 and indicating block, we are associating the first rule action to that of the SecDefaultAction which is pass. So in this case, the first rule would pass based on meeting the successful conditions associated with the rule: it would not deny.

SecDefaultAction phase:2,pass,log,auditlog
SecRule ARGS attack1 phase:2,deny,id:1
SecRuleUpdateActionById 1 block