Modsecurity only show warning but not blocking?

Modsecurity only show warning but not blocking?

I am using CRS 4.3.0

I try to test is it active :

curl 'https://example.com/?foo=/etc/passwd&bar=/bin/sh'
curl : The remote server returned an error: (403) Forbidden.

However when using other approach by requesting this url : curl 'https://example.com/.bash_'

ModSecurity only show log :

ModSecurity: Warning. Matched "Operator PmFromFile' with parameter restricted-files.data' against variable REQUEST_FILENAME' (Value: /.bash_' ) [file "/etc/apache2/modsecurity.d/owasp-crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "124"] [id "930130"] [rev ""] [msg "Restricted File Access Attempt"] [data "Matched Data: .bash_ found within REQUEST_FILENAME: /.bash_"] [severity "2"] [ver "OWASP_CRS/4.3.0"] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "example.com"] [uri "/.bash_"] [unique_id "171876508270.997608"] [ref "o1,6v4,7t ,t ,t "]

SecRuleEngine On apache version : Apache/2.4.41

Content of init.conf :

   Include "/etc/apache2/modsecurity.d/modsecurity.conf"
   #Include "/etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf"
   #Include "/etc/apache2/modsecurity.d/owasp-crs/rules/*.conf"

    Include /etc/apache2/modsecurity.d/owasp-crs/crs-setup.conf 
    Include /etc/apache2/modsecurity.d/owasp-crs/plugins/*-config.conf
    Include /etc/apache2/modsecurity.d/owasp-crs/plugins/*-before.conf 
    Include /etc/apache2/modsecurity.d/owasp-crs/rules/*.conf 
    Include /etc/apache2/modsecurity.d/owasp-crs/plugins/*-after.conf 

After more digging, I found that the threshold for one rules still not reaching the accumulated threshold as default is 7 anomaly score.

Based on this reference : https://github.com/SpiderLabs/OWASP-CRS-Documentation/blob/master/anomaly.rst I have configured this in crs-setup.conf :

 "id:'900003',\
  phase:1,\
  nolog,\
  pass,\
  t:none,\
  setvar:tx.sql_injection_score_threshold=15,\
  setvar:tx.xss_score_threshold=15,\
  setvar:tx.rfi_score_threshold=1,\
  setvar:tx.lfi_score_threshold=1,\
  setvar:tx.rce_score_threshold=1,\
  setvar:tx.command_injection_score_threshold=5,\
  setvar:tx.php_injection_score_threshold=5,\
  setvar:tx.http_violation_score_threshold=5,\
  setvar:tx.trojan_score_threshold=5,\
  setvar:tx.session_fixation_score_threshold=5,\
  setvar:tx.inbound_anomaly_score_threshold=5,\
  setvar:tx.outbound_anomaly_score_threshold=4"

Take attention to this :

  setvar:tx.lfi_score_threshold=1,\
  setvar:tx.rce_score_threshold=1,\

But after try again this : curl 'https://example.com/.bash_' It only warning not blocking although logically it has reach the threshold.

Please any guidance ?