I'm using the default Core ModSecurity Rule Set ver.1.6.0 and set the default action to:

SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replaceNulls,t:compressWhitespace"

I then sent a test XSS request like : http://target/?<script>alert('xss')</script> which shows up in the logs as an XSS attack, but I get a 200 response as opposed to a 403 response back. How can I debug this problem?