Add is_interrupted flag in the audit JSON log

[meirdev]

what

Add an is_interrupted flag to the audit JSON log.

why

From the audit logs, it's not possible to determine whether ModSecurity actually interfered with the request.

Neither producer.secrules_engine nor messages.*.details.ruleId reliably indicate this, since rule actions can be modified dynamically.

For example:

SecRule REMOTE_ADDR "@streq 1.1.1.1" \
    "id:1000,\
    phase:1,\
    log,\
    msg:'test'"

SecRuleUpdateActionById 1000 "deny,status:403"

references

Coraza has introduced a similar flag:
https://github.com/corazawaf/coraza/blob/8b28b72ec16d01ed5b9b664699d1f69386f67029/internal/auditlog/auditlog.go#L89

[Copilot]

Pull request overview

Adds an is_interrupted boolean to the JSON audit log so consumers can tell whether a disruptive intervention was actually consumed during the transaction (as opposed to inferring from engine state or rule actions).

Changes:

• Introduces a sticky Transaction member (m_isInterrupted) that is set the first time a disruptive intervention is consumed via Transaction::intervention().
• Emits "is_interrupted": <bool> in the "transaction" object of the JSON audit log.
• Adds regression tests covering both disruptive-blocking and DetectionOnly scenarios.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File	Description
test/test-cases/regression/auditlog.json	Adds regression cases asserting is_interrupted true (deny) and false (DetectionOnly).
src/transaction.cc	Sets the sticky flag when a disruptive intervention is returned; serializes it into JSON audit output.
headers/modsecurity/transaction.h	Adds m_isInterrupted member with explanatory comment describing its “sticky” semantics.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[airween]

Hi @meirdev,

thanks for this PR - I think it's a great idea.

I've been thinking about where could we put this information in Native format, but unfortunately many parts are unimplemented yet in case of v3, so we need to skip to add this info there.

Anyway, we should take it back again if someone wants to extend the auditlog parts.

[airween]

@meirdev: could you pick up the recent changes from upstream's v3/master?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[airween]

@meirdev - thank you, merging into v3/master.