Regular Expression Failure Triggers !@rx

[ssigwart]

Describe the bug

When there's a regular expression error due to SecPcreMatchLimit or SecPcreMatchLimitRecursion (i.e. MSC_PCRE_LIMITS_EXCEEDED), a rule using !@rx will say that the rule was triggered. However, failures with @rx will say that the rule was not triggered. I think both should assume the rule was not triggered. See coreruleset/coreruleset#3640 (comment) for additional context.

To Reproduce

See coreruleset/coreruleset#3640 (comment).

You can probably reproduce by setting SecPcreMatchLimit and SecPcreMatchLimitRecursion really low (maybe 5) and adding a !@rx rule.

Expected behavior

I would expect !@rx to not trigger a rule if there's a MSC_PCRE_LIMITS_EXCEEDED error.

Server (please complete the following information):

• ModSecurity version (and connector): ModSecurity v3.0.12 with nginx-connector v1.0.3
• WebServer: nginx-1.24.0
• OS (and distro): Amazon Linux 2

Rule Set (please complete the following information):

• Running any public or commercial rule set? CRS
• What is the version number? 4.1.0

[airween]

Hi @ssigwart,

thanks for reporting, I will take a look at this issue soon.