If I switch my SecRuleEngine to on instead of debug, would the above event be blocked? Am I correct to assume since that event did not exceed the anomaly score of 8 that it would have allowed this request? I have other events in my audit log which clearly state they exceed the threshold of 8, so is it a fair assumption that unless the audit log specifically states it exceeded the threshold, that the request would NOT be blocked?
Sim, isso está correto.
If that is the case, is there a way to configure the audit log to only log events which would be blocked in the event of SecRuleEngine being set to on? I do not want to see any partial matches in my audit log that do not exceed threshold levels.
Não, não existe. E esta é uma das principais razões pelas quais eu não gosto de pontuação no modo anomalia. Mesmo depois de ligá-lo, você verá esse ruído. A única maneira de saber se um ataque será bloqueado é se a verificação de anomalias for executada no final (IDs de regra 949110 - 949118) disparada.