Actions

Property

Description

Action

The action to take. Following are the values :

Block - Blocks the matched data using the specified strike character.
Encrypt - Encrypts the matched data and masks it with the specified strike character.
Replace - Replaces the matched data with a specified text string.
DropHit - Drops the current hit (no further action is taken). Any rule may have a drop hit action.
DropResponse - Drops the response from the current hit.
ReqSet - Sets or replaces the value for the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if is doesn't exist.
ReqAppend - Appends to the value of the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if it doesn't exist.
ReqDelete - Removes the specified name/value pair completely from the request. This does not remove the section, even if empty.

Key

key ID to use for encryption if Action=Encrypt.

Group

Group name (in the format domain\groupname) to use for encryption if Action=Encrypt.

Note: Use either Key or Group to specify the encryption key, not both.

Section

The section name of the data to act upon. If this is value that is set to response, then the response is processed. This can also be one of the following reserved names:

urlfield - Performs the action for the specified ValueName (or all if ValueName is omitted) for values in the urlfield section, QUERY_STRING, query string in RawRequest (if present) and the query string in HTTP_REFERER and the Referer request header and request body in RawRequest (if present).
cookies - Performs the action for the specified ValueName (or all if ValueName is omitted) for values in the [cookies] section, HTTP_COOKIE and HTTP_SET_COOKIE name-value pairs, Set-Cookies headers in the ResponseHeader section (if present), Set-Cookie headers in the response, and the [cookies] header in the RawRequest section (if present).
Note: If a Section is not specified in an action, then the entire request buffer (REQ) is used.

IgnoreSpecial

True or False value that is indicating whether to ignore special handling when urlfield or cookies is specified for the Section. Setting this to True allows StartPattern or StartPatternRE to be used in the urlfield or cookies sections. Default is False.

Field

One or more optional field names (name portion of the name-value pair). If both Field and ValueName are omitted, then the entire section is blocked/encrypted. This can also be one of the following reserved names:

body - If Section=response then, this value specifies the response body as the target. If Section=RawRequest, then the request body (if present) is processed.

ValueName

One or more names of values (in multi-value name-value pairs, such as HTTP_COOKIE) or the names of items when Section=urlfield or Section=cookies.

Invert

True or False value that is indicating whether to invert the action (perform on all fields or ValueNames EXCEPT the ones specified).

If ValueName is specified, then all except the name(s) specified in ValueName are processed.
If ValueName is not specified, then the name(s) specified for Field is/are excepted from the action.
Note: This can only be used with Block, Encrypt, and Replace actions. StartPattern and StartPatternRE cannot be used with an invert action.

StartPattern

The starting string pattern to search for within the specified data. The data immediately following the matching pattern is processed. If StartPattern is used, then you must also specify either EndPattern or Length, unless you set Inclusive to True. When Inclusive=True, the StartPattern (and optional EndPattern) are blocked/encrypted as well. This is useful for blocking or encrypting a constant data string.

StartPatternRE

Regular expression version of StartPattern. This can be used to specify a standard regular expression to define the starting pattern to find. You can use either StartPattern or StartPatternRE, but not both.

EndPattern

The string pattern which signals the end of the data that is matched by a StartPattern. The data up to, but not including, the EndPattern is processed (unless Inclusive=True).

EndPatternRE

Regular expression version of EndPattern. This can be used to specify a standard regular expression to define the ending pattern to find. You can use either EndPattern or EndPatternRE, but not both.

Length

Used in lieu of an EndPattern or EndPatternRE, this value specifies the length of the data (in bytes) to process following a matched StartPattern (or StartPatternRE).

Inclusive

True or False value that is indicating whether the StartPattern (or StartPatternRE) and (optional) EndPattern (or EndPatternRE) are blocked or encrypted. Default is False.

RepeatCount

This can be used for actions that have a StartPattern or StartPatternRE to specify how many instances of data that is matching the pattern is processed.

ReplaceString

The string that is used to replace the original data when Action=Replace.

CaseSensitive

True or False value that is indicating whether the searches for field names and/or patterns must be case-sensitive. Default is False. Setting this to True speeds up searches.

StrikeChar

The character that is used to replace the original data that is blocked or encrypted. This can be any alphanumeric character or symbol not included in the following list:

. (period)
, (comma)
/ (forward slash)
\ (backslash)
[(left square bracket)
] (right square bracket)
| (pipe)
'(single quotation mark)
" (double quotation mark)

StrikeLen

Optional length (in bytes) of strike data. This is the number of StrikeChar characters that are used to replace the original data (if Action=Block or Action=Encrypt).

If StrikeLen is longer than the original data length, then more strike characters are added.
If StrikeLen is shorter than the original data length, then StrikeLen characters are replaced with the StrikeChar and the remaining data is removed.
If StrikeLen is a negative number, then the number of characters represented by the absolute value of StrikeLen is left as-is. For example, to leave the last four characters or a value untouched, set StrikeLen=-4.
For more flexible options, see BlockingMask.

BlockingMask

An optional regular expression that specifies which characters in the found data are replaced with the strike character (does not apply to Replace action). All characters within a group (defined by parentheses) in the regular expression are replaced with the strike character. Characters that match part of the pattern outside of a group are not replaced. Examples: The following mask would block just the numbers in a Social Security Number, leaving the dashes visible:


BlockingMask=([0-9]{3})-([0-9]{2})-([0-9]{4})

This example would leave the first four digits of a credit card number visible:


BlockingMask=[0-9]{4}([0-9]*)

BlockingMask is used in lieu of StrikeLen. You can use one or the other, but not both.

Note: Be careful when you use BlockingMask. If the data does not match the regular expression that is specified for BlockingMask, then the data is not blocked or encrypted.

ReqSetSection

Specifies the section for the name-value pair for a ReqSet, ReqAppend, or ReqDelete action. ReqSetSection is required for these three actions.

ReqSetField

Specifies the name of a name-value pair for a ReqSet, ReqAppend, or ReqDelete action. ReqSetField is required for these three actions.

ReqSetResult

This option is used in conjunction with StartPatternRE to produce a formatted value for a ReqSet or ReqAppend action. The StartPatternRE expression should contain one or more "groups", defined by parentheses within the regular expression. ReqSetResult is a string containing literal text and placeholders for the data captured by StartPatternRE. Examples:


StartPatternRE=name="(.*?)" value="(.*?)"
ReqSetResult=Field
{g1} value: {g2}

Would result in a following value like:


Field name value: Bob

The first placeholder, {g1}, is replaced with the value from the first group in the regular expression. {g2} gets the second value, and so on. The result string is then used as the value for the ReqSet or ReqAppend action.