From 7c07702633c409d4539a045d7b8faccc4dafb43d Mon Sep 17 00:00:00 2001
From: dextermallo <dextermallo@gmail.com>
Date: Thu, 22 Jun 2023 11:24:59 +0100
Subject: [PATCH 1/9] chore: update doc for matadata actions

---
 internal/actions/id.go  | 10 ++++++++++
 internal/actions/msg.go | 10 ++++++++++
 internal/actions/tag.go | 15 +++++++++++++++
 internal/actions/ver.go | 13 +++++++++++++
 4 files changed, 48 insertions(+)

diff --git a/internal/actions/id.go b/internal/actions/id.go
index 77f5ac650..4dcd80266 100644
--- a/internal/actions/id.go
+++ b/internal/actions/id.go
@@ -11,6 +11,16 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Metadata
+//
+// Description:
+// > This action is mandatory for all `SecRule` and `SecAction`, and it must be numeric.
+// Assigns a unique ID to the rule or chain in which it appears.
+//
+// Example:
+// ```
+// SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'"
+// ```
 type idFn struct{}
 
 func (a *idFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/msg.go b/internal/actions/msg.go
index a3d524019..a8defb773 100644
--- a/internal/actions/msg.go
+++ b/internal/actions/msg.go
@@ -10,6 +10,16 @@ import (
 	utils "github.com/corazawaf/coraza/v3/internal/strings"
 )
 
+// Action Group: metadata
+//
+// Description:
+// Assigns a custom message to the rule or chain in which it appears, and the message will be logged along with every alert.
+// Noted that the msg information appears in the error and/or audit log files and is not sent back to the client in response headers.
+//
+// Example:
+// ```
+// SecRule &REQUEST_HEADERS:Host "@eq 0" "log,id:60008,severity:2,msg:'Request Missing a Host Header'"
+// ```
 type msgFn struct{}
 
 func (a *msgFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/tag.go b/internal/actions/tag.go
index f7f16486d..8f911a030 100644
--- a/internal/actions/tag.go
+++ b/internal/actions/tag.go
@@ -8,6 +8,21 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Metadata
+//
+// Description:
+// Assigns a tag (category) to a rule or a chain. The tag information appears along with other rule metadata.
+// Tags allow easy automated categorization of events, and multiple tags can be specified on the same rule.
+// You can use forward slashes to create a hierarchy of categories (see example), and it also support Macro Expansions.
+//
+// Example:
+// ```
+//
+//	SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
+//	 	"phase:2,rev:'2.1.3',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \
+//		{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+//
+// ```
 type tagFn struct{}
 
 func (a *tagFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/ver.go b/internal/actions/ver.go
index 9f97ab055..3123b7158 100644
--- a/internal/actions/ver.go
+++ b/internal/actions/ver.go
@@ -8,6 +8,19 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Metadata
+//
+// Description:
+// Specifies the rule set version.
+//
+// Example:
+// ```
+//
+//	SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
+//	 	"phase:2,ver:'CRS/2.2.4,capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \
+//		{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+//
+// ```
 type verFn struct{}
 
 func (a *verFn) Init(r plugintypes.RuleMetadata, data string) error {

From 5e2ebaa31a8715b252a4b78c341cef98c65c92a3 Mon Sep 17 00:00:00 2001
From: dextermallo <dextermallo@gmail.com>
Date: Thu, 22 Jun 2023 11:26:05 +0100
Subject: [PATCH 2/9] chore: update doc for flow action

---
 internal/actions/chain.go | 35 +++++++++++++++++++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/internal/actions/chain.go b/internal/actions/chain.go
index 3d3adea62..3c254a3d7 100644
--- a/internal/actions/chain.go
+++ b/internal/actions/chain.go
@@ -8,6 +8,41 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Flow
+//
+// Description:
+// Creating a rule chain - chains the current rule with the rule that immediately follows it.
+//
+// Noted that rule chains simulate **AND condition**.
+// The disruptive actions specified in the first portion of the chained rule will be triggered only if all of the variable checks return positive hits.
+// If one of the chained rule is negative, the entire rule chain will fail to match.
+//
+// These action can be specified only by the chain starter rule:
+// - disruptive actions
+// - execution phases
+// - metadata actions (id, rev, msg, tag, severity, logdata)
+// - skip
+// - skipAfter
+//
+// The following directives can be used in rule chains:
+// - `SecAction`
+// - `SecRule`
+// - `SecRuleScript`
+//
+// Special rules control the usage of actions in a chained rule:
+// - An action which affects the rule flow (i.e., the disruptive actions, `skip` and `skipAfter`) can be used only in the chain starter. They will be executed only if the entire chain matches.
+// - Non-disruptive rules can be used in any rule; they will be executed if the rule that contains them matches and not only when the entire chain matches.
+// - The metadata actions (e.g., `id`, `rev`, `msg`) can be used only in the chain starter.
+//
+// Example:
+// ```
+// # Refuse to accept POST requests that do not contain a Content-Length header.
+// # Noted that the rule should be preceded by a rule that verifies only valid request methods are used.
+//
+//	SecRule REQUEST_METHOD "^POST$" "phase:1,chain,t:none,id:105"
+//		SecRule &REQUEST_HEADERS:Content-Length "@eq 0" "t:none"
+//
+// ```
 type chainFn struct{}
 
 func (a *chainFn) Init(r plugintypes.RuleMetadata, data string) error {

From 3df3941d94ddc4eb244dcf67d90b344989c96683 Mon Sep 17 00:00:00 2001
From: dextermallo <dextermallo@gmail.com>
Date: Thu, 22 Jun 2023 11:52:21 +0100
Subject: [PATCH 3/9] chore: update doc for remaining flow/metadata actions;
 wording

---
 internal/actions/maturity.go  | 14 ++++++++++++++
 internal/actions/msg.go       |  2 +-
 internal/actions/skip.go      | 16 ++++++++++++++++
 internal/actions/skipafter.go | 32 ++++++++++++++++++++++++++++++++
 4 files changed, 63 insertions(+), 1 deletion(-)

diff --git a/internal/actions/maturity.go b/internal/actions/maturity.go
index 9eab1f311..6375d3932 100644
--- a/internal/actions/maturity.go
+++ b/internal/actions/maturity.go
@@ -11,6 +11,20 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Metadata
+//
+// Description:
+// Specifies the relative maturity level of the rule related to the length of time a rule has been public and the amount of testing it has received.
+// The value is a string based on a numeric scale (1-9 where 9 is extensively tested and 1 is a brand new experimental rule).
+//
+// Example:
+// ```
+//
+//	SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bgetparentfolder\b" \
+//		"phase:2,ver:'CRS/2.2.4,accuracy:'9',maturity:'9',capture,t:none,t:htmlEntityDecode,t:compressWhiteSpace,t:lowercase,ctl:auditLogParts=+E,block,msg:'Cross-site Scripting (XSS) Attack',id:'958016',tag:'WEB_ATTACK/XSS',tag:'WASCTC/WASC-8',tag:'WASCTC/WASC-22',tag:'OWASP_TOP_10/A2',tag:'OWASP_AppSensor/IE1',tag:'PCI/6.5.1',logdata:'% \
+//	 	{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.xss_score=+%{tx.critical_anomaly_score},setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/XSS-%{matched_var_name}=%{tx.0}"
+//
+// ```
 type maturityFn struct{}
 
 func (a *maturityFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/msg.go b/internal/actions/msg.go
index a8defb773..23b0e5fdc 100644
--- a/internal/actions/msg.go
+++ b/internal/actions/msg.go
@@ -10,7 +10,7 @@ import (
 	utils "github.com/corazawaf/coraza/v3/internal/strings"
 )
 
-// Action Group: metadata
+// Action Group: Metadata
 //
 // Description:
 // Assigns a custom message to the rule or chain in which it appears, and the message will be logged along with every alert.
diff --git a/internal/actions/skip.go b/internal/actions/skip.go
index 3ec5c13f0..ca13f8073 100644
--- a/internal/actions/skip.go
+++ b/internal/actions/skip.go
@@ -11,6 +11,22 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Flow
+//
+// Description:
+// Skips one or more rules (or chained rules) on successful match.
+// It only within the current processing phase and not necessarily in the order in which the rules appear in the configuration file.
+// If you place a phase 2 rule after a phase 1 rule that uses skip, it will not skip over the phase 2 rule,
+// it will skip over the next phase 1 rule that follows it in the phase.
+//
+// Example:
+// ```
+// # Require Accept header, but not from access from the localhost
+// SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,skip:1,id:141"
+//
+// # This rule will be skipped over when REMOTE_ADDR is 127.0.0.1
+// SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,id:142,deny,msg:'Request Missing an Accept Header'"
+// ```
 type skipFn struct {
 	data int
 }
diff --git a/internal/actions/skipafter.go b/internal/actions/skipafter.go
index dce2e7fb6..ed904cf79 100644
--- a/internal/actions/skipafter.go
+++ b/internal/actions/skipafter.go
@@ -9,6 +9,38 @@ import (
 	utils "github.com/corazawaf/coraza/v3/internal/strings"
 )
 
+// Action Group: Flow
+//
+// Description:
+// Action `skipAfter` is similar to `skip`, it skip one or more rules (or chained rules) on a successful match,
+// **and resuming rule execution with the first rule that follows the rule (or marker created by SecMarker) with the provided ID)).
+// The `skipAfter` action works only within the current processing phase and not necessarily the order in which the rules appear in the configuration file.
+//
+// Example:
+// ```
+// # The following rules implement the same logic as the skip example, but using skipAfter:
+// # Require Accept header, but not from access from the localhost
+// SecRule REMOTE_ADDR "^127\.0\.0\.1$" "phase:1,id:143,skipAfter:IGNORE_LOCALHOST"
+//
+// # This rule will be skipped over when REMOTE_ADDR is 127.0.0.1
+// SecRule &REQUEST_HEADERS:Accept "@eq 0" "phase:1,deny,id:144,msg:'Request Missing an Accept Header'"
+// SecMarker IGNORE_LOCALHOST
+//
+// # another Example from the OWASP CRS
+// SecMarker BEGIN_HOST_CHECK
+//
+//	SecRule &REQUEST_HEADERS:Host "@eq 0" \
+//		"skipAfter:END_HOST_CHECK,phase:2,rev:'2.1.3',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21', \
+//		tag:'OWASP_TOP_10/A7',tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score}, \
+//		setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score},setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+//
+//	SecRule REQUEST_HEADERS:Host "^$" \
+//		"phase:2,rev:'2.1.3',t:none,block,msg:'Request Missing a Host Header',id:'960008',tag:'PROTOCOL_VIOLATION/MISSING_HEADER_HOST',tag:'WASCTC/WASC-21',tag:'OWASP_TOP_10/A7', \
+//		tag:'PCI/6.5.10',severity:'5',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.notice_anomaly_score},setvar:tx.protocol_violation_score=+%{tx.notice_anomaly_score}, \
+//		setvar:tx.%{rule.id}-PROTOCOL_VIOLATION/MISSING_HEADER-%{matched_var_name}=%{matched_var}"
+//
+// SecMarker END_HOST_CHECK
+// ```
 type skipafterFn struct {
 	data string
 }

From 1c01d688884860ea8cee1d3b177f38547999755c Mon Sep 17 00:00:00 2001
From: dextermallo <dextermallo@gmail.com>
Date: Thu, 22 Jun 2023 12:04:08 +0100
Subject: [PATCH 4/9] chore: update doc for phase/severity/status actions

---
 internal/actions/phase.go    | 23 +++++++++++++++++++++++
 internal/actions/severity.go | 25 +++++++++++++++++++++++++
 internal/actions/status.go   | 10 ++++++++++
 3 files changed, 58 insertions(+)

diff --git a/internal/actions/phase.go b/internal/actions/phase.go
index 48238bc3f..e5b0b53d5 100644
--- a/internal/actions/phase.go
+++ b/internal/actions/phase.go
@@ -9,6 +9,29 @@ import (
 	"github.com/corazawaf/coraza/v3/types"
 )
 
+// Action Group: Metadata
+//
+// Description:
+// Places the rule or chain into one of five available processing phases.
+// It can also be used in `SecDefaultAction` to establish the rule defaults.
+//
+// Besides, There are aliases for some phase numbers:
+// - 2 (request)
+// - 4 (response)
+// - 5 (logging)
+//
+// > Warning: Keep in mind that the variable used in the rule may not be available if specifying the incorrect phase.
+// > This could lead to a false negative situation where your variable and operator may be correct,
+// > but it misses malicious data because you specified the wrong phase.
+//
+// Example:
+// ```
+// # Initialize IP address tracking in phase 1
+// SecAction phase:1,nolog,pass,id:126,initcol:IP=%{REMOTE_ADDR}
+//
+// # Example of using phase alias
+// SecRule REQUEST_HEADERS:User-Agent "Test" "phase:request,log,deny,id:127"
+// ```
 type phaseFn struct{}
 
 func (a *phaseFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/severity.go b/internal/actions/severity.go
index 718b44781..6dd404cd7 100644
--- a/internal/actions/severity.go
+++ b/internal/actions/severity.go
@@ -9,6 +9,31 @@ import (
 	"github.com/corazawaf/coraza/v3/types"
 )
 
+// Action Group: Metadata
+//
+// Description:
+// Assigns severity to the rule in which it is used.
+// Severity values in Coraza follows the numeric scale of syslog (where 0 is the most severe).
+//
+// The data below is used by the OWASP Core Rule Set (CRS):
+// - **0, EMERGENCY**: is generated from correlation of anomaly scoring data where there is an inbound attack and an outbound leakage.
+// - **1, ALERT**: is generated from correlation where there is an inbound attack and an outbound application level error.
+// - **2, CRITICAL**: Anomaly Score of 5. Is the highest severity level possible without correlation. It is normally generated by the web attack rules (40 level files).
+// - **3, ERROR**: Error - Anomaly Score of 4. Is generated mostly from outbound leakage rules (50 level files).
+// - **4, WARNING**: Anomaly Score of 3. Is generated by malicious client rules (35 level files).
+// - **5, NOTICE**: Anomaly Score of 2. Is generated by the Protocol policy and anomaly files.
+// - **6, INFO**
+// - **7, DEBUG**
+//
+// > It is possible to specify severity levels using either the numerical values or the text values,
+// > but you should always specify severity levels using the text values,
+// > because it is difficult to remember what a number stands for.
+// > The use of the numerical values is deprecated as of version 2.5.0 and may be removed in one of the subsequent major updates.
+//
+// Example:
+// ```
+// SecRule REQUEST_METHOD "^PUT$" "id:340002,rev:1,severity:CRITICAL,msg:'Restricted HTTP function'"
+// ```
 type severityFn struct{}
 
 func (a *severityFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/status.go b/internal/actions/status.go
index 6d10f559a..344100bdc 100644
--- a/internal/actions/status.go
+++ b/internal/actions/status.go
@@ -11,6 +11,16 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Data
+//
+// Description:
+// Specifies the response status code to use with actions deny and redirect.
+//
+// Example:
+// ```
+// # Deny status 403
+// SecDefaultAction "phase:1,log,deny,id:145,status:403"
+// ```
 type statusFn struct{}
 
 func (a *statusFn) Init(r plugintypes.RuleMetadata, data string) error {

From 0c421059aa0a55e5ae296e67cb0c9121929b1cb1 Mon Sep 17 00:00:00 2001
From: dextermallo <dextermallo@gmail.com>
Date: Thu, 22 Jun 2023 12:16:02 +0100
Subject: [PATCH 5/9] chore: update doc for exec/expirevar/initcol/log/logdata
 actions

---
 internal/actions/exec.go      | 22 ++++++++++++++++++++++
 internal/actions/expirevar.go | 16 ++++++++++++++++
 internal/actions/initcol.go   | 14 +++++++++++++-
 internal/actions/log.go       | 10 ++++++++++
 internal/actions/logdata.go   | 12 ++++++++++++
 5 files changed, 73 insertions(+), 1 deletion(-)

diff --git a/internal/actions/exec.go b/internal/actions/exec.go
index 9464bff29..487b36b74 100644
--- a/internal/actions/exec.go
+++ b/internal/actions/exec.go
@@ -7,6 +7,28 @@ import (
 	"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Executes an external script/binary supplied as parameter.
+// The `exec` action is executed independently from any disruptive actions specified.
+// External scripts will always be called with no parameters.
+// Some transaction information will be placed in environment variables.
+// All the usual CGI environment variables will be there.
+// You should be aware that forking a threaded process results in all threads being replicated in the new process.
+// Forking can therefore incur larger overhead in a multithreaded deployment.
+//
+// > The script you execute must write something (anything) to stdout,
+// > if it doesn’t, Coraza will assume that the script failed, and will record the failure.
+//
+// Example:
+// ```
+// # Run external program on rule match
+// SecRule REQUEST_URI "^/cgi-bin/script\.pl" "phase:2,id:112,t:none,t:lowercase,t:normalizePath,block,\ exec:/usr/local/apache/bin/test.sh"
+
+// # Run Lua script on rule match
+// SecRule ARGS:p attack "phase:2,id:113,block,exec:/usr/local/apache/conf/exec.lua"
+// ```
 type execFn struct{}
 
 func (a *execFn) Init(_ plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/expirevar.go b/internal/actions/expirevar.go
index a05d76623..e09462f62 100644
--- a/internal/actions/expirevar.go
+++ b/internal/actions/expirevar.go
@@ -7,6 +7,22 @@ import (
 	"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Configures a collection variable to expire after the given time period (in seconds).
+// You should use the `expirevar` with `setvar` action to keep the intended expiration time.
+// The expire time will be reset if they are used on their own (perhaps in a SecAction directive).
+//
+// Example:
+// ```
+//
+//	SecRule REQUEST_COOKIES:JSESSIONID "!^$" "nolog,phase:1,id:114,pass,setsid:%{REQUEST_COOKIES:JSESSIONID}"
+//
+//	SecRule REQUEST_URI "^/cgi-bin/script\.pl" "phase:2,id:115,t:none,t:lowercase,t:normalizePath,log,allow,\
+//		setvar:session.suspicious=1,expirevar:session.suspicious=3600,phase:1"
+//
+// ```
 type expirevarFn struct{}
 
 func (a *expirevarFn) Init(_ plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/initcol.go b/internal/actions/initcol.go
index 12163f2d2..4899d7213 100644
--- a/internal/actions/initcol.go
+++ b/internal/actions/initcol.go
@@ -9,7 +9,19 @@ import (
 	"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
 )
 
-// Initializes a persistent collection and add the data to the standard collections coraza.
+// Action Group: Non-disruptive
+//
+// Description:
+// Initializes a named persistent collection, either by loading data from storage or by creating a new collection in memory.
+// Collections are loaded into memory on-demand, when the initcol action is executed.
+// A collection will be persisted only if a change was made to it in the course of transaction processing.
+// See the `Persistent Storage` section for further details.
+//
+// Example:
+// ```
+// # Initiates IP address tracking, which is best done in phase 1
+// SecAction "phase:1,id:116,nolog,pass,initcol:ip=%{REMOTE_ADDR}"
+// ```
 type initcolFn struct {
 	collection string
 	variable   byte
diff --git a/internal/actions/log.go b/internal/actions/log.go
index 6b41edd40..ba3297a11 100644
--- a/internal/actions/log.go
+++ b/internal/actions/log.go
@@ -8,6 +8,16 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Indicates that a successful match of the rule needs to be logged.
+//
+// Example:
+// ```
+// # log matches from the error log file to the Coraza audit log.
+// SecAction "phase:1,id:117,pass,initcol:ip=%{REMOTE_ADDR},log"
+// ```
 type logFn struct{}
 
 func (a *logFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/logdata.go b/internal/actions/logdata.go
index 1928d9bf2..03a602d74 100644
--- a/internal/actions/logdata.go
+++ b/internal/actions/logdata.go
@@ -9,6 +9,18 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Logs a data fragment as part of the alert message.
+// The logdata information appears in the error and/or audit log files. Macro expansion is performed,
+// so you may use variable names such as %{TX.0} or %{MATCHED_VAR}.
+// The information is properly escaped for use with logging of binary data.
+//
+// Example:
+// ```
+// SecRule ARGS:p "@rx <script>" "phase:2,id:118,log,pass,logdata:%{MATCHED_VAR}"
+// ```
 type logdataFn struct{}
 
 func (a *logdataFn) Init(r plugintypes.RuleMetadata, data string) error {

From 2eaf845dec7a449101ebb53e1c049a4dba967090 Mon Sep 17 00:00:00 2001
From: dextermallo <dextermallo@gmail.com>
Date: Thu, 22 Jun 2023 12:27:31 +0100
Subject: [PATCH 6/9] chore: update doc for deny/multimatch/rev/setenv/t
 actions

---
 internal/actions/deny.go       |  9 +++++++++
 internal/actions/multimatch.go | 11 +++++++++++
 internal/actions/rev.go        | 13 +++++++++++++
 internal/actions/setenv.go     | 14 ++++++++++++++
 internal/actions/t.go          | 11 +++++++++++
 5 files changed, 58 insertions(+)

diff --git a/internal/actions/deny.go b/internal/actions/deny.go
index f717a7f78..994f35c7d 100644
--- a/internal/actions/deny.go
+++ b/internal/actions/deny.go
@@ -8,6 +8,15 @@ import (
 	"github.com/corazawaf/coraza/v3/types"
 )
 
+// Action Group: Disruptive
+//
+// Description:
+// Stops rule processing and intercepts transaction.
+//
+// Example:
+// ```
+// SecRule REQUEST_HEADERS:User-Agent "nikto" "log,deny,id:107,msg:'Nikto Scanners Identified'"
+// ```
 type denyFn struct{}
 
 func (a *denyFn) Init(_ plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/multimatch.go b/internal/actions/multimatch.go
index 07c37193c..52df2131c 100644
--- a/internal/actions/multimatch.go
+++ b/internal/actions/multimatch.go
@@ -8,6 +8,17 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Perform multiple operator invocations for every target, before and after every anti-evasion transformation is performed.
+// Normally, variables are inspected only once per rule, and only after all transformation functions have been completed.
+// With multiMatch, variables are checked against the operator before and after every transformation function that changes the input.
+//
+// Example:
+// ```
+// SecRule ARGS "attack" "phase1,log,deny,id:119,t:removeNulls,t:lowercase,multiMatch"
+// ```
 type multimatchFn struct{}
 
 func (a *multimatchFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/rev.go b/internal/actions/rev.go
index fd2697a73..b35c5ccdd 100644
--- a/internal/actions/rev.go
+++ b/internal/actions/rev.go
@@ -8,6 +8,19 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Metadata
+//
+// Description:
+// Specifies the rule revision. This action is used in combination with action `id` to allow the same rule ID to be used after changes,
+// and it can still provide some indication about the rule changes.
+//
+// Example:
+// ```
+//
+//	SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "(?:(?:[\;\|\`]\W*?\bcc|\b(wget|curl))\b|\/cc(?:[\'\"\|\;\`\-\s]|$))" \
+//		"phase:2,rev:'2.1.3',capture,t:none,t:normalizePath,t:lowercase,ctl:auditLogParts=+E,block,msg:'System Command Injection',id:'950907',tag:'WEB_ATTACK/COMMAND_INJECTION',tag:'WASCTC/WASC-31',tag:'OWASP_TOP_10/A1',tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.command_injection_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/COMMAND_INJECTION-%{matched_var_name}=%{tx.0},skipAfter:END_COMMAND_INJECTION1"
+//
+// ```
 type revFn struct{}
 
 func (a *revFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/setenv.go b/internal/actions/setenv.go
index 3b208e166..5ee05abc5 100644
--- a/internal/actions/setenv.go
+++ b/internal/actions/setenv.go
@@ -12,6 +12,20 @@ import (
 	"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Creates, removes, and updates environment variables that can be accessed by the implementation.
+// > In a trained rule, the action will be executed when an individual rule matches (not the entire chain).
+//
+// Examples:
+// ```
+// SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,t:none,pass,id:139,nolog,setvar:tx.sessionid=%{matched_var}"
+// SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "phase:3,id:140,t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag.'"
+//
+// # In Apache
+// Header set Set-Cookie "%{httponly_cookie}e; HTTPOnly" env=httponly_cookie
+// ```
 type setenvFn struct {
 	key   string
 	value macro.Macro
diff --git a/internal/actions/t.go b/internal/actions/t.go
index 4b12bc4b4..4ee8da573 100644
--- a/internal/actions/t.go
+++ b/internal/actions/t.go
@@ -9,6 +9,17 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/transformations"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// `t` is used to specify the transformation pipeline to use to transform the value of each variable used in the rule before matching.
+// Any transformation functions that you specify in a `SecRule` will be added to the previous ones specified in `SecDefaultAction`.
+// It is recommended that you always use `t:none` in your rules, which prevents them depending on the default configuration.
+//
+// Example:
+// ```
+// SecRule ARGS "(asfunction|javascript|vbscript|data|mocha|livescript):" "id:146,t:none,t:htmlEntityDecode,t:lowercase,t:removeNulls,t:removeWhitespace"
+// ```
 type tFn struct{}
 
 func (a *tFn) Init(r plugintypes.RuleMetadata, data string) error {

From 42734f87256553cac7d2163ffa8b28a61ec3b1f6 Mon Sep 17 00:00:00 2001
From: dextermallo <dextermallo@gmail.com>
Date: Thu, 22 Jun 2023 12:33:54 +0100
Subject: [PATCH 7/9] chore: update doc for
 auditlog/capture/noauditlog/nolog/redirect actions

---
 internal/actions/auditlog.go   | 10 ++++++++++
 internal/actions/capture.go    | 16 ++++++++++++++++
 internal/actions/noauditlog.go | 14 ++++++++++++++
 internal/actions/nolog.go      | 10 ++++++++++
 internal/actions/redirect.go   | 12 ++++++++++++
 5 files changed, 62 insertions(+)

diff --git a/internal/actions/auditlog.go b/internal/actions/auditlog.go
index 00bd1a3bd..d575dd4a5 100644
--- a/internal/actions/auditlog.go
+++ b/internal/actions/auditlog.go
@@ -8,6 +8,16 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Marks the transaction for logging in the audit log.
+//
+// Example:
+// ```
+// # The action is explicit if the log is specified.
+// SecRule REMOTE_ADDR "^192\.168\.1\.100$" "auditlog,phase:1,id:100,allow"
+// ```
 type auditlogFn struct{}
 
 func (a *auditlogFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/capture.go b/internal/actions/capture.go
index ebbd8d2dd..bab58bd00 100644
--- a/internal/actions/capture.go
+++ b/internal/actions/capture.go
@@ -8,6 +8,22 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// > This action is being forced by now, it might be reused in the future.
+//
+// When used together with the regular expression operator `@rx`,
+// `capture` creates a copy of the regular expression and places them into the transaction variable collection.
+// Up to 10 captures will be copied on a successful pattern match, each with a name consisting of a digit from 0 to 9.
+// The `TX.0` variable always contains the entire area that the regular expression matched.
+// All the other variables contain the captured values, in the order in which the capturing parentheses appear in the regular expression.
+//
+// Example:
+// ```
+// SecRule REQUEST_BODY "^username=(\w{25,})" phase:2,capture,t:none,chain,id:105
+// SecRule TX:1 "(?:(?:a(dmin|nonymous)))"
+// ```
 type captureFn struct{}
 
 func (a *captureFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/noauditlog.go b/internal/actions/noauditlog.go
index 107c27170..a953a883b 100644
--- a/internal/actions/noauditlog.go
+++ b/internal/actions/noauditlog.go
@@ -8,6 +8,20 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Indicates that a successful match of the rule should not be used as criteria to determine whether the transaction should be logged to the audit log.
+// If the `SecAuditEngine` is set to `On`, all of the transactions will be logged.
+// If it is set to `RelevantOnly`, you can control the logging with the noauditlog action.
+// Action `noauditlog` affects only on the current rule. If you prevent audit logging in one rule only,
+// a match in another rule will still cause audit logging to take place.
+// If you want to prevent audit logging from taking place, regardless of whether any rule matches, use `ctl:auditEngine=Off`.
+//
+// Example:
+// ```
+// SecRule REQUEST_HEADERS:User-Agent "@streq Test" "allow,noauditlog,id:120"
+// ```
 type noauditlogFn struct{}
 
 func (a *noauditlogFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/nolog.go b/internal/actions/nolog.go
index ca8b245eb..64d6cce42 100644
--- a/internal/actions/nolog.go
+++ b/internal/actions/nolog.go
@@ -8,6 +8,16 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Prevents rule matches from appearing in both error and audit logs.
+// Although nolog implies noauditlog, you can override the former by using `nolog,auditlog`.
+//
+// Example:
+// ```
+// SecRule REQUEST_HEADERS:User-Agent "@streq Test" "allow,nolog,id:121"
+// ```
 type nologFn struct{}
 
 func (a *nologFn) Init(r plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/redirect.go b/internal/actions/redirect.go
index 886ef2154..5ba2740b8 100644
--- a/internal/actions/redirect.go
+++ b/internal/actions/redirect.go
@@ -8,6 +8,18 @@ import (
 	"github.com/corazawaf/coraza/v3/types"
 )
 
+// Action Group: Disruptive
+//
+// Description:
+// Intercepts transaction by issuing an external (client-visible) redirection to the given location.
+// If the status action is presented on the same rule,
+// and its value can be used for a redirection (i.e., one of the following: 301, 302, 303, or 307),
+// the value will be used for the redirection status code. Otherwise, status code 302 will be used.
+//
+// Example:
+// ```
+// SecRule REQUEST_HEADERS:User-Agent "@streq Test" "phase:1,id:130,log,redirect:http://www.example.com/failed.html"
+// ```
 type redirectFn struct {
 	target string
 }

From 052c782915c9ce29c39ee16c96bdcaba50788d32 Mon Sep 17 00:00:00 2001
From: dextermallo <dextermallo@gmail.com>
Date: Thu, 22 Jun 2023 12:52:01 +0100
Subject: [PATCH 8/9] chore: update doc for drop/pass/setvar actions; wording

---
 internal/actions/drop.go   | 18 +++++++++++++++++
 internal/actions/pass.go   | 19 ++++++++++++++++++
 internal/actions/setenv.go |  2 +-
 internal/actions/setvar.go | 40 ++++++++++++++++++++++++++++++++++++++
 4 files changed, 78 insertions(+), 1 deletion(-)

diff --git a/internal/actions/drop.go b/internal/actions/drop.go
index 0184eb26e..828574635 100644
--- a/internal/actions/drop.go
+++ b/internal/actions/drop.go
@@ -8,6 +8,24 @@ import (
 	"github.com/corazawaf/coraza/v3/types"
 )
 
+// Action Group: Disruptive
+//
+// Description:
+// > This action depends on each implementation, the server is instructed to drop the connection.
+//
+// Initiates an immediate close of the TCP connection by sending a FIN packet.
+// This action is extremely useful when responding to both Brute Force and Denial of Service attacks,
+// which you may want to minimize the network bandwidth and the data returned to the client.
+// This action causes error message to appear in the log `(9)Bad file descriptor: core_output_filter: writing data to the network`
+//
+// Example:
+// ```
+// # The following example initiates an IP collection for tracking Basic Authentication attempts.
+// # If the client exceed the threshold of more than 25 attempts in 2 minutes, it will `DROP` the subsequent connections.
+// SecAction phase:1,id:109,initcol:ip=%{REMOTE_ADDR},nolog
+// SecRule ARGS:login "!^$" "nolog,phase:1,id:110,setvar:ip.auth_attempt=+1,deprecatevar:ip.auth_attempt=25/120"
+// SecRule IP:AUTH_ATTEMPT "@gt 25" "log,drop,phase:1,id:111,msg:'Possible Brute Force Attack'"
+// ```
 type dropFn struct{}
 
 func (a *dropFn) Init(_ plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/pass.go b/internal/actions/pass.go
index 21d7a86dd..165e12ed4 100644
--- a/internal/actions/pass.go
+++ b/internal/actions/pass.go
@@ -7,6 +7,25 @@ import (
 	"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
 )
 
+// Action Group: Disruptive
+//
+// Description:
+// Continues processing with the next rule in spite of a successful match.
+//
+// Example:
+// ```
+// SecRule REQUEST_HEADERS:User-Agent "@streq Test" "log,pass,id:122"
+//
+// # When using pass with a SecRule with multiple targets,
+// # all variables will be inspected and all non-disruptive actions trigger for every match.
+// # In the following example, the TX.test variable will be incremented once for every request parameter
+//
+// # Set TX.test to zero
+// SecAction "phase:2,nolog,pass,setvar:TX.test=0,id:123"
+//
+// # Increment TX.test for every request parameter
+// SecRule ARGS "test" "phase:2,log,pass,setvar:TX.test=+1,id:124"
+// ```
 type passFn struct{}
 
 func (a *passFn) Init(_ plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/setenv.go b/internal/actions/setenv.go
index 5ee05abc5..708631320 100644
--- a/internal/actions/setenv.go
+++ b/internal/actions/setenv.go
@@ -18,7 +18,7 @@ import (
 // Creates, removes, and updates environment variables that can be accessed by the implementation.
 // > In a trained rule, the action will be executed when an individual rule matches (not the entire chain).
 //
-// Examples:
+// Example:
 // ```
 // SecRule RESPONSE_HEADERS:/Set-Cookie2?/ "(?i:(j?sessionid|(php)?sessid|(asp|jserv|jw)?session[-_]?(id)?|cf(id|token)|sid))" "phase:3,t:none,pass,id:139,nolog,setvar:tx.sessionid=%{matched_var}"
 // SecRule TX:SESSIONID "!(?i:\;? ?httponly;?)" "phase:3,id:140,t:none,setenv:httponly_cookie=%{matched_var},pass,log,auditlog,msg:'AppDefect: Missing HttpOnly Cookie Flag.'"
diff --git a/internal/actions/setvar.go b/internal/actions/setvar.go
index 235819970..a372b4410 100644
--- a/internal/actions/setvar.go
+++ b/internal/actions/setvar.go
@@ -14,6 +14,46 @@ import (
 	"github.com/corazawaf/coraza/v3/types/variables"
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Creates, removes, or updates a variable. Variable names are **case-insensitive**.
+//
+// Example:
+// ```
+// # Create a variable and set its value to 1 (usually used for setting flags)
+// `setvar:TX.score`
+//
+// # Create a variable and initialize it at the same time,
+// `setvar:TX.score=10`
+//
+// # Remove a variable, prefix the name with an exclamation mark
+// `setvar:!TX.score`
+//
+// # Increase or decrease variable value, use + and - characters in front of a numerical value
+// `setvar:TX.score=+5`
+//
+// # Example from OWASP CRS:
+//
+//	SecRule REQUEST_FILENAME|ARGS_NAMES|ARGS|XML:/* "\bsys\.user_catalog\b" \
+//		"phase:2,rev:'2.1.3',capture,t:none,t:urlDecodeUni,t:htmlEntityDecode,t:lowercase,t:replaceComments,t:compressWhiteSpace,ctl:auditLogParts=+E, \
+//		block,msg:'Blind SQL Injection Attack',id:'959517',tag:'WEB_ATTACK/SQL_INJECTION',tag:'WASCTC/WASC-19',tag:'OWASP_TOP_10/A1',tag:'OWASP_AppSensor/CIE1', \
+//		tag:'PCI/6.5.2',logdata:'%{TX.0}',severity:'2',setvar:'tx.msg=%{rule.msg}',setvar:tx.sql_injection_score=+%{tx.critical_anomaly_score}, \
+//		setvar:tx.anomaly_score=+%{tx.critical_anomaly_score},setvar:tx.%{rule.id}-WEB_ATTACK/SQL_INJECTION-%{matched_var_name}=%{tx.0}"
+//
+// # When using in a chain, the action will be executed when an individual rule matches instead of the entire chain match.
+//
+//	SecRule REQUEST_FILENAME "@contains /test.php" "chain,id:7,phase:1,t:none,nolog,setvar:tx.auth_attempt=+1"
+//		SecRule ARGS_POST:action "@streq login" "t:none"
+//
+// # Increment every time that test.php is visited (regardless of the parameters submitted).
+// # If the desired goal is to set the variable only if the entire rule matches,
+// # it should be included in the last rule of the chain.
+//
+//	SecRule REQUEST_FILENAME "@streq test.php" "chain,id:7,phase:1,t:none,nolog"
+//		SecRule ARGS_POST:action "@streq login" "t:none,setvar:tx.auth_attempt=+1"
+//
+// ```
 type setvarFn struct {
 	key        macro.Macro
 	value      macro.Macro

From a35bdbf525d25a4bdee70476a330e8ba98a76e38 Mon Sep 17 00:00:00 2001
From: dextermallo <dextermallo@gmail.com>
Date: Thu, 22 Jun 2023 13:06:05 +0100
Subject: [PATCH 9/9] chore: update doc for allow/block/ctl actions

---
 internal/actions/allow.go | 37 +++++++++++++++++---------
 internal/actions/block.go | 39 +++++++++++++++++++++++++++
 internal/actions/ctl.go   | 56 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 120 insertions(+), 12 deletions(-)

diff --git a/internal/actions/allow.go b/internal/actions/allow.go
index 28e602952..139c2c827 100644
--- a/internal/actions/allow.go
+++ b/internal/actions/allow.go
@@ -11,7 +11,31 @@ import (
 	"github.com/corazawaf/coraza/v3/internal/corazawaf"
 )
 
-// 0 nothing, 1 phase, 2 request
+// Action Group: Disruptive
+//
+// Description:
+// Stops rule processing on a successful match and allows a transaction to be proceed.
+//
+// - Using solely: allow will affect the entire transaction.
+// stopping processing of the current phase but also skipping over all other phases apart from the logging phase.
+// (The logging phase is special; it is designed to be always execute.)
+// - Using with parameter `phase`: the engine will stop processing the current phase, and the other phases will continue.
+// - Using with parameter `request`: engine will stop processing the current phase, and the next phase to be processed will be phase `types.PhaseResponseHeaders`.
+//
+// Example:
+// ```
+// # Allow unrestricted access from 192.168.1.100
+// SecRule REMOTE_ADDR "^192\.168\.1\.100$" phase:1,id:95,nolog,allow
+//
+// # Do not process request but process response
+// SecAction phase:1,allow:request,id:96
+//
+// # Do not process transaction (request and response).
+// SecAction phase:1,allow,id:97
+//
+// # If you want to allow a response through, put a rule in phase RESPONSE_HEADERS and use allow
+// SecAction phase:3,allow,id:98
+// ```
 type allowFn struct {
 	allow corazatypes.AllowType
 }
@@ -30,17 +54,6 @@ func (a *allowFn) Init(_ plugintypes.RuleMetadata, data string) error {
 	return nil
 }
 
-// Evaluate Allow has the following rules:
-//
-// Example: `SecRule REMOTE_ADDR "^192\.168\.1\.100$" "phase:1,id:95,nolog,allow"`
-//
-//   - If used one its own, like in the example above, allow will affect the entire transaction,
-//     stopping processing of the current phase but also skipping over all other phases apart from the logging phase.
-//     (The logging phase is special; it is designed to always execute.)
-//   - If used with parameter "phase", allow will cause the engine to stop processing the current phase.
-//     Other phases will continue as normal.
-//   - If used with parameter "request", allow will cause the engine to stop processing the current phase.
-//     The next phase to be processed will be phase types.PhaseResponseHeaders.
 func (a *allowFn) Evaluate(r plugintypes.RuleMetadata, txS plugintypes.TransactionState) {
 	tx := txS.(*corazawaf.Transaction)
 	tx.AllowType = a.allow
diff --git a/internal/actions/block.go b/internal/actions/block.go
index 9495352fa..cc85438b3 100644
--- a/internal/actions/block.go
+++ b/internal/actions/block.go
@@ -7,6 +7,45 @@ import (
 	"github.com/corazawaf/coraza/v3/experimental/plugins/plugintypes"
 )
 
+// Action Group: Disruptive
+//
+// Description:
+// Performs the disruptive action defined by the previous `SecDefaultAction`.
+// This action is a placeholder to be used by rule writers to request a blocking action,
+// but without specifying how the blocking is to be done.
+// The idea is that such decisions are best left to rule users, as well as to allow users, to override blocking for their demands.
+// In future versions of Coraza, more control and functionality will be added to define "how" to block.
+//
+// Example:
+// ```
+// # Specify how blocking is to be done
+// SecDefaultAction "phase:2,deny,id:101,status:403,log,auditlog"
+//
+// # Detect attacks where we want to block
+// SecRule ARGS "@rx attack1" "phase:2,block,id:102"
+//
+// # Detect attacks where we want only to warn
+// SecRule ARGS "@rx attack2" "phase:2,pass,id:103"
+//
+// # It is possible to use the `SecRuleUpdateActionById` directive to override how a rule handles blocking.
+// # This is useful in three cases:
+//
+// # 1. If a rule has blocking hard-coded, and you want it to use the policy you determine.
+// # 2. If a rule was written to `block`, but you want it to warn only.
+// # 3. If a rule was written to only `warn`, but you want it to block.
+//
+// # The following example demonstrates the first case,
+// # in which the hard-coded block is removed in favor of the user-controllable block:
+//
+// # Specify how blocking is to be done
+// SecDefaultAction "phase:2,deny,status:403,log,auditlog,id:104"
+//
+// # Detect attacks and block
+// SecRule ARGS "@rx attack1" "phase:2,id:1,deny"
+//
+// # Change how rule ID 1 blocks
+// SecRuleUpdateActionById 1 "block"
+// ```
 type blockFn struct{}
 
 func (a *blockFn) Init(_ plugintypes.RuleMetadata, data string) error {
diff --git a/internal/actions/ctl.go b/internal/actions/ctl.go
index c062d2066..9bb0da00a 100644
--- a/internal/actions/ctl.go
+++ b/internal/actions/ctl.go
@@ -44,6 +44,62 @@ const (
 	ctlDebugLogLevel             ctlFunctionType = iota
 )
 
+// Action Group: Non-disruptive
+//
+// Description:
+// Change Coraza configuration on transient, per-transaction basis.
+// Any changes made using this action will affect only the transaction in which the action is executed.
+// The default configuration, as well as the other transactions running in parallel, will be unaffected.
+//
+// The following configuration options are supported:
+// - `auditEngine`
+// - `auditLogParts`
+// - `debugLogLevel`
+// - `forceRequestBodyVariable`
+// - `requestBodyAccess`
+// - `requestBodyLimit`
+// - `requestBodyProcessor`
+// - `responseBodyAccess`
+// - `responseBodyLimit`
+// - `ruleEngine`
+// - `ruleRemoveById`
+// - `ruleRemoveByMsg`
+// - `ruleRemoveByTag`
+// - `ruleRemoveTargetById`
+// - `ruleRemoveTargetByMsg`
+// - `ruleRemoveTargetByTag`
+// - `hashEngine` (**Not Supported in Coraza (TBI)**)
+// - `hashEnforcement` (**Not supported in Coraza (TBI)**)
+//
+// Here are some notes about the options:
+//
+//  1. Option `ruleRemoveTargetById`, `ruleRemoveTargetByMsg`, and `ruleRemoveTargetByTag`, users don't need to use the char ! before the target list.
+//
+//  2. Option `ruleRemoveById` is triggered at run time and should be specified before the rule in which it is disabling.
+//
+//  3. Option `requestBodyProcessor` allows you to configure the request body processor.
+//     By default, Coraza will use the `URLENCODED` and `MULTIPART` processors to process an `application/x-www-form-urlencoded` and a `multipart/form-data` body respectively.
+//     Other processors also supported: `JSON` and `XML`, but they are never used implicitly.
+//     Instead, you must tell Coraza to use it by placing a few rules in the `REQUEST_HEADERS` processing phase.
+//     After the request body is processed as XML, you will be able to use the XML-related features to inspect it.
+//     Request body processors will not interrupt a transaction if an error occurs during parsing.
+//     Instead, they will set the variables `REQBODY_PROCESSOR_ERROR` and `REQBODY_PROCESSOR_ERROR_MSG`.
+//     These variables should be inspected in the `REQUEST_BODY` phase and an appropriate action taken.
+//
+//  4. Option `forceRequestBodyVariable“ allows you to configure the `REQUEST_BODY` variable to be set when there is no request body processor configured.
+//     This allows for inspection of request bodies of unknown types.
+//
+// Example:
+// ```
+// # Parse requests with Content-Type "text/xml" as XML
+// SecRule REQUEST_CONTENT_TYPE ^text/xml "nolog,pass,id:106,ctl:requestBodyProcessor=XML"
+//
+// # white-list the user parameter for rule #981260 when the REQUEST_URI is /index.php
+//
+//		SecRule REQUEST_URI "@beginsWith /index.php" "phase:1,t:none,pass,\
+//	 	nolog,ctl:ruleRemoveTargetById=981260;ARGS:user"
+//
+// ```
 type ctlFn struct {
 	action     ctlFunctionType
 	value      string