Add/Edit Actions

At the top of the Action Details page, you can review the name of the action and the rules in which it is referenced, as well as the currently configured properties.

Setting

Description

Name

The name of the action.

Description

User-readable description of the action, which also displayed in privacy.cfg.

Invert Action

True or False value that is indicating whether to invert the action (perform the action on all fields or Value Names EXCEPT the ones specified).

If Value Name is specified, then all except the name(s) specified in Value Name are processed.
If Value Name is not specified, then the name(s) specified for Field is/are excepted from the action.
Note: This can only be used with Block, Encrypt, and Replace actions. Start Pattern and Start Pattern RE cannot be used with an Invert action.

Action

The action to take. This can be one of the following value:

Block - Blocks the matched data using the specified strike character.
Encrypt - Encrypts the matched data and masks it with the specified strike character.
Replace - Replaces the matched data with a specified text string.
DropHit - Drops the current hit (no further action is taken).
DropResponse - Drops the response from the current hit.
ReqSet - Sets or replaces the value for the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if is doesn't exist.
ReqAppend - Appends to the value of the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if it doesn't exist.
ReqDelete - Removes the specified name/value pair completely from the request. This does not remove the section, even if empty.

Key

key ID to use for encryption if Action=Encrypt.

Section

The section name of the data to act upon. If this is set to response, then the response is processed. This can also be one of the following reserved names:

urlfield - Performs the action for the specified Value Name(s) (or all if Value Name is omitted) for values in the urlfield section, QUERY_STRING, query string in RawRequest (if present) and the query string in HTTP_REFERER and the Referer request header and request body in RawRequest (if present).
cookies - Performs the action for the specified Value Name(s) (or all if Value Name is omitted) for values in the [cookies] section, HTTP_COOKIE and HTTP_SET_COOKIE name-value pairs, Set-Cookies headers in the ResponseHeader section (if present), Set-Cookie headers in the response, and the [cookies] header in the RawRequest section (if present).
Note: If a Section is not specified in an action, then the entire request buffer (REQ) is used.

Field

One or more optional field names (name portion of the name-value pair). If both Field and Value Name are omitted, then the entire section is blocked/encrypted. This can also be one of the following reserved names:

body - If Section=response. then this specifies the response body as the target. If Section=RawRequest. then the request body (if present) is processed.

Value Name

One or more names of values (in multi-value name-value pairs, such as HTTP_COOKIE) or the names of items when Section=urlfield or Section=cookies.

Start Pattern

The starting string pattern to search for within the specified data. The data immediately following the matching pattern is processed. If Start Pattern is used, then you must also specify either End Pattern or Strike Length, unless you set Inclusive=True. If set, then the

Start
Pattern

and optional End Pattern are blocked/encrypted as well. This is useful for blocking or encrypting a constant data string.

Start Pattern RE

Regular expression version of Start Pattern. This can be used to specify a standard regular expression to define the starting pattern to find. You can use either Start Pattern or

Start
Pattern RE

, but not both.

End Pattern

The string pattern which signals the end of the data that is matched by a Start Pattern. The data up to, but not including, the End Pattern is processed (unless Inclusive=True).

End Pattern RE

Regular expression version of End Pattern. This can be used to specify a standard regular expression to define the ending pattern to find. You can use either End Pattern or

End
Pattern RE

, but not both.

Strike Character

The character that is used to replace the original data that is blocked or encrypted. This can be any alphanumeric character or symbol not included in the following list:

. (period)
, (comma)
/ (forward slash)
\ (backslash)
[(left square bracket)
] (right square bracket)
| (pipe)
' (single quote)
" (double quote)

Strike Length

Optional length (in bytes) of strike data. This is the number of Strike Character characters that are used to replace the original data (if Action=Block or Action=Encrypt).

If Strike Length is longer than the original data length, then more strike characters are added.
If Strike Length is shorter than the original data length, then Strike Length characters are replaced with the Strike Character and the remaining data is removed.
If Strike Length is a negative number, then the number of characters represented by the absolute value of Strike Length is left as-is. For example, to leave the last four characters or a value untouched, set Strike Length=-4. (see Blocking Mask for more flexible blocking options.)

Inclusive

True or False value that is indicating whether the Start Pattern (or

Start
Pattern RE

) and (optional) End Pattern (or

End
Pattern RE

) are blocked or encrypted. Default is False.

Repeat Count

This can be used for actions that have a Start Pattern or

Start
Pattern RE

to specify how many instances of data that is matching the pattern are processed.

Blocking Mask

An optional regular expression that specifies which characters in the found data are replaced with the strike character (does not apply to Replace action). All character within a group (defined by parentheses) in the regular expression is replaced with the strike character.

Characters that match part of the pattern outside of a group are not replaced. For example, the following mask would block just the numbers in a Social Security Number, leaving the dashes visible:
```
BlockingMask=([0-9]{3})-([0-9]{2})-([0-9]{4})
```
This example would leave the first four digits of a credit card number visible:
```
BlockingMask=[0-9]{4}([0-9]*)
```
Blocking Mask is used in lieu of Strike Length. You can use one or the other, but not both.

Note: Be careful when you use Blocking Mask. If the data does not match the regular expression that is specified for Blocking Mask, then the data is not blocked or encrypted.

Replace String

The string that is used to replace the original data when Action=Replace.

Length (bytes)

Used in lieu of an End Pattern or

End
Pattern RE

, this value specifies the length of the data (in bytes) to process following a matched Start Pattern (or Start Pattern RE).

Case Sensitive

True or False value that is indicating whether the searches for field names and/or patterns must be case-sensitive. Default is False. Setting this to True speeds up searches.

Ignore Special

True or False value that is indicating whether to ignore special handling when urlfield or cookies is specified for the Section. Setting to True allows

Start
Pattern

or Start Pattern RE to be used in the urlfield or cookies sections. Default is False.

ReqSetSection

Specifies the section for the name-value pair for a ReqSet, ReqAppend, or ReqDelete action. ReqSetSection is required for these three actions.

ReqSetField

Specifies the name of a name-value pair for a ReqSet, ReqAppend, or ReqDelete action. ReqSetField is required for these three actions.

ReqSetResult

This option is used with Start Pattern RE to produce a formatted value for a ReqSet or ReqAppend action. The Start Pattern RE expression must contain one or more "groups", defined by parentheses within the regular expression. ReqSetResult is a string that is containing literal text and placeholders for the data that is captured by Start Pattern RE. For example:


StartPatternRE=name="(.*?)" value="(.*?)"
ReqSetResult=Field
{g1} value: {g2}

The code might give following result:


Field name value: Bob

The first placeholder, {g1}, is replaced with the value from the first group in the regular expression. {g2} gets the second value, and so on. The result string is then used as the value for the ReqSet or ReqAppend action.