[WAF] pass rule is considered as reason for alert

[victoredvardsson]

What happened?

If you have one request matching multiple SecRules, even pass rules will be included in the alert which could be misleading.

What did you expect to happen?

Only include matched SecRules with a disruptive action.

How can we reproduce it (as minimally and precisely as possible)?

Create two rules that will match a specific request, one should be pass and the other deny.

cscli alerts inspect 1015286

################################################################################################

 - ID           : 1015286
 - Date         : 2026-06-02T12:22:06+02:00
 - Machine      : <redacted>
 - Simulation   : false
 - Remediation  : false
 - Kind         : waf
 - Reason       : request_uri: wordpress redirect
 - Events Count : 2
 - Scope:Value  : Ip:<redacted>
 - Country      : SE
 - Begin        : 2026-06-02T12:22:05+02:00
 - End          : 2026-06-02T12:22:05+02:00
 - UUID         : 15c866d7-69ba-4c98-815a-80b38dca473d


 - Context  :
╭───────────────┬──────────────────────────────────────────────────────────────╮
│      Key      │                             Value                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ host          │ www.bashult.sk                                          │
│ id            │ 400402                                                       │
│ id            │ 410045                                                       │
│ matched_zones │ REQUEST_URI                                                  │
│ matched_zones │ QUERY_STRING                                                 │
│ method        │ GET                                                          │
│ msg           │ request_uri: wordpress redirect                              │
│ msg           │ query_string: shell command bash                             │
│ name          │ native_rule:400402                                           │
│ name          │ native_rule:410045                                           │
│ uri           │ /wp-login.php?redirect_to=https%3A%2F%2Fwww.bashult.sk%      │
│               │ 2Fwp-admin%2F&reauth=1                                       │
╰───────────────┴──────────────────────────────────────────────────────────────╯

Rules matched:

SecRule REQUEST_URI                         "@rx wp-login\.php\?redirect_to="               "id:400402,phase:2,t:none,t:lowercase,t:urldecode,pass,skipAfter:IGNORE_HTTP_STRING,nolog,msg:'request_uri: wordpress redirect'"
SecRule QUERY_STRING                        "@rx bash "                                             "id:410045,phase:2,t:none,t:urldecode,deny,log,msg:'query_string: shell command bash'"

Anything else we need to know?

No response

Crowdsec version

Details

$ cscli version
version: v1.7.8-debian-pragmatic-amd64-63227459
Codename: alphaga
BuildDate: 2026-05-11_12:36:14
GoVersion: 1.26.2
Platform: linux
libre2: C++
User-Agent: crowdsec/v1.7.8-debian-pragmatic-amd64-63227459-linux
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog, db_mysql, db_postgres, db_sqlite

OS version

Details

# On Linux:
$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
$ uname -a
Linux <hostname> 5.15.0-143-generic #153-Ubuntu SMP Fri Jun 13 19:10:45 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

</details>


### Enabled collections and parsers

<details>

```console
$ cscli hub list -o raw
Loaded: 163 parsers, 12 postoverflows, 781 scenarios, 10 contexts, 6 appsec-configs, 218 appsec-rules, 163 collections
Unmanaged items: 4 local, 0 tainted
name,status,version,description,type
crowdsecurity/whitelists,enabled,0.3,Whitelist events from private ipv4 addresses,parsers
appsec-waf.yaml,"enabled,local",,,contexts
appsec-waf,"enabled,local",,,appsec-configs
coraza/base-config,"enabled,local",,,appsec-rules
custom/secrules,"enabled,local",,,appsec-rules

Acquisition config

Details

# On Linux:
$ cat /etc/crowdsec/acquis.yaml /etc/crowdsec/acquis.d/*
listen_addr: 127.0.0.1:7422
appsec_config: appsec-waf
name: appsec-waf
source: appsec
log_level: info
routines: 64
labels:
  type: appsec-waf

[github-actions]

@victoredvardsson: Thanks for opening an issue, it is currently awaiting triage.

In the meantime, you can:

1. Check Crowdsec Documentation to see if your issue can be self resolved.
2. You can also join our Discord.
3. Check Releases to make sure your agent is on the latest version.

Details

I am a bot created to help the crowdsecurity developers manage community feedback and contributions. You can check out my manifest file to understand my behavior and what I can do. If you want to use this for your project, you can check out the BirthdayResearch/oss-governance-bot repository.