The configuration options for actions are the following.
Name/Action section
- Option
- Description
-
Name
- Enter a name for the action. This name must be unique among all action.
-
Action
- Identifies the action to be performed. The available actions are available:
-
Block
- Blocks the matched data using the specified strike character. -
Encrypt
- Encrypts the matched data and masks it with the specified strike character. -
Replace
- Replaces the matched data with a specified text string. -
DropHit
- Drops the current hit. No further action is taken. -
DropResponse
- Drops the response from the current hit. -
ReqSet
- Sets or replaces the value for the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if it doesn't exist. Actions of this type are buffered. -
ReqAppend
- Appends to the value of the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if it doesn't exist. Actions of this type are buffered. -
ReqDelete
- Removes the specified name/value pair completely from the request. This does not remove the section, even if it is empty. Actions of this type are buffered.
-
-
Encryption Key
- When Action is set to
Encrypt
, theEncryption Key
option is used to specify the key ID of the privacy key to use for encryption. This ID should correspond to the key ID for the group whose members should be able to decrypt the data when replaying the session.Note: To specify the encryption key, either Key or Group may be used, but not both. -
Group
- When Action is set to
Encrypt
, the Group option is used to specify the group name whose privacy key is used for encryption and whose members should be able to decrypt the data when replaying the session. The specified group must already have a privacy key using TMS and must be specified in the formatdomain\groupname
. For example, a group namedadmin
in the Windows™ domainoperations
is specified as follows:Group=operations\admin
Note: To specify the encryption key, either Key or Group may be used, but not both.
Destination section
- Option
- Description
-
Section
- The Section option is used to identify the name of the section containing the
data to process. It can be one of the section names in the request file (e.g.,
[env]
) or one of the following reserved names:-
response
- Specifies that the response should be searched for the specified data. -
urlfield
- Performs the action for the specified Value Name(s) (or all if Value Name is omitted) for values in the urlfield section, QUERY_STRING, query string in RawRequest (if present), query string in HTTP_REFERER and the Referer request header, and request body in RawRequest (if present). The name of the urlfield field(s) to process should be specified using Value Name. -
cookie
- Performs the action for the specified Value Name(s) (or all if Value Name is omitted) for values in the cookie section, HTTP_COOKIE and HTTP_SET_COOKIE name/value pairs, Set-Cookies headers in the ResponseHeader section (if present), Set-Cookie headers in the response, and the Cookie header in the RawRequest section (if present). The name of the cookie(s) to process should be specified using Value Name.Note: If a Section is not specified in an action, then the entire request buffer is used.Note: When editing a Section value in raw mode through TMS, do not use double-quotes ("
) in the Section name.
-
-
Ignore Special
- This Boolean value indicates whether to ignore special handling when
urlfield
orcookie
is specified for theSection
(see above).- When
true
, Start Pattern can be used in the[urlfield]
and[cookie]
sections. - The default value is
false
.
- When
-
Field
- The Field option is used to optionally specify one or more comma-separated
field names. If both Field and Value Name are omitted, then the entire
section (specified by the Section parameter) is blocked or encrypted. Note: When blocking or encrypting an
[xmlN]
section of the request, you cannot useField
andValue Name
combinations to specify the data, due to the different formatting in these sections. You must useStart Pattern
andStart Pattern RE
to specify the content to block or encrypt.The value of Field can either be a field name (name portion of a name/value pair) or one of the following reserved names:
-
body
:- If
Section=response
, then the body of the response is processed, not including response headers. - If
Section=RawRequest
and the RawRequest section is present, then the request body is processed, if it is present.
- If
- To include a specific header in the response, enter the name of the header
for the
Field
value.Note: To apply privacy to response header fields, omit the colon from the field name. For example, usex-mydatafield
, instead ofx-mydatafield:
. - Leave
Field
value empty to include the entire header section.
-
-
Value Name
- Value Name is used to optionally specify one or more value names.
- If
Section=urlfield
, then this option specifies the urlfield names to be processed. - If
Section=cookie
, then this option is used to specify the cookie(s) to process.Note: When blocking or encrypting an[xmlN]
section of the request, you cannot useField
andValue Name
combinations to specify the data, due to the different formatting in these sections. You must useStart Pattern
andStart Pattern RE
to specify the content to block or encrypt. - Else, Value Name specifies the name portion of a name/value pair within the value of a request
field or response header (if
Section=response
).
- If
-
Invert Action
-
true
orfalse
value indicating whether to invert the action. When enabled, this option performs the action on all Fields or Value Names except the ones specified.- If Value Name is specified, then all except the name(s) specified in Value Name are processed.
- If Value Name is not specified then the name(s) specified for Field is/are excepted from the
action. Note: This can only be used with Block, Encrypt and Replace actions. Start Pattern may not be used with an invert action.
Pattern Expression section
- Option
- Description
-
Start Pattern
- Start Pattern is used for text matching within regions of data,
such as the response body, an XML block in the request, or a long
value for a name/value pair. The data (specified by Section, Field
and Value Name) is searched for the string specified by Start Pattern.
If Start Pattern is used, then you must also specify either End Pattern
or Length, unless you set Inclusive to
true
. WhenInclusive=true
, then the Start Pattern and optional End Pattern are blocked/encrypted as well. This option is useful for blocking or encrypting a constant data string. IfInclusive=false
, then the Start Pattern is not processed. -
End Pattern
- The End Pattern option specifies the string pattern which signals
the end of the data matched by a Start Pattern. All data from Start
Pattern to End Pattern is processed, if
Inclusive=true
. IfInclusive=false
, the pattern strings are not included. -
Regular Expression?
- If the
Start Pattern
orEnd Pattern
value represents a regular expression, set this value totrue
. -
Inclusive
- The Inclusive option identifies whether to block or encrypt the
Start Pattern and End Pattern (if used), along with any data processed
as part of a Start Pattern search. The default value is
false
. -
Repeat Count
- For actions with a Start Pattern, this option specifies how many instances of data matching the pattern to process.
Replacement section
- Option
- Description
-
Strike Character
- Strike Character is used to replace the original data that is
blocked or encrypted with an alphanumeric character. The following
values cannot be used as Strike Character:
-
.
- (period) -
,
- (comma) -
/
- (forward slash) - (backslash)
-
[
- (left square bracket) -
]
- (right square bracket) -
|
- (pipe) -
'
- (single quote) -
"
- (double quote)
-
-
Strike Length
- Strike Length is used to specify the length in bytes of the matched data to
strike. This option is the number of Strike Character characters used to replace the original data
(if
Action=Block
orAction=Encrypt
). If Strike Length is longer than the original data length, then additional strike characters are added. If Strike Length is shorter than the original data length, then Strike Length characters are replaced with the Strike Character and the remaining data is removed.If Strike Length is a negative number, then the number of characters represented by the absolute value of Strike Length is retained. For example, to leave the last four characters of a value untouched, set
Strike Length=-4
. -
Blocking Mask
- An optional regular expression that specifies which characters in the found data
are replaced with the strike character. All characters within a group, as defined by parentheses, in
the regular expression are replaced with the strike character. Characters that match part of the
pattern outside of a group are not replaced. This option does not apply to Replace actions.
For example, the following mask would block the numbers in a Social Security Number, leaving the dashes visible:
BlockingMask=([0-9] {3} )-(--[0-9]- {2} -)-([0-9] {4})
The following example leaves the first 4 digits of a credit card number visible:
BlockingMask=[0-9]{4} ([0-9]\*)
Blocking Mask is used in lieu of Strike Length. You may use one or the other, but not both.
Note: Be careful when using Blocking Mask. If the data does not match the regular expression specified for Blocking Mask then the data is not blocked or encrypted. -
Replace String
- The string used to replace the original data when
Action=Replace
.
Matching Options section
- Option
- Description
-
Case Sensitive
-
true
orfalse
value indicating whether the searches for should be case-sensitive. Default isfalse
. Setting this totrue
accelerates searches. -
Length (bytes)
- Used in lieu of an End Pattern, the Length option specifies the
length of the data (in bytes) to process following a matched Start
Pattern. If
Inclusive=true
, then the length of the Start Pattern is not taken into account, even though it is also processed.
Request Operations section
- Option
- Description
-
ReqSet Section
- This option is used to specify the section for the name/value pair for a ReqSet, ReqAppend or ReqDelete action. ReqSet Section is required for these three actions.
-
ReqSet Field
- ReqSet Field specifies the name of a name/value pair for a ReqSet, ReqAppend or ReqDelete action. ReqSet Field is required for these three actions.
-
ReqSet Result
- When the start pattern is a regular expression, this option is used to produce a
formatted value for a ReqSet or ReqAppend action. The Start Pattern expression should contain one or
more "groups", defined by parentheses within the regular expression. ReqSet Result is a string
containing literal text and placeholders for the data captured by the start pattern. For example:
Start Pattern=name="(.*?)" value="(.*?)" ReqSet Result=Field {g1} value: {g2}
Results in a value like the following:
Field-Foo-value: Bob
The first placeholder (
g1
) is replaced with the value from the first group in the regular expression.g2
gets the second value, and so on. The result string is then used as the value for the ReqSet or ReqAppend action. -
MD5
- The MD5 true/false setting denotes whether the resulting data captured by the
rule should be MD5 encoded. The default value is
false
.Note: The MD5 option can be applied only if the Extended Privacy session agent is used. -
Checksum
- The Checksum true/false setting denotes whether the resulting data captured by
the rule should have an Adler32 checksum applied to it. This checksum handles several cases not
traditionally handled by checksums such as multiple errors that sum to 0 or rearranging of
characters in the sequence.
The Checksum value is useful for comparing sensitive data where the user wants a low possibility of reverse lookup to obtain the original value. A good application of the Checksum value is to allow comparison of multiple attempts at entering a password. If the user mis-types the password from hit to hit, the Checksum will allow this case to be recorded without the password being revealed. In simply blocking the password data, you would not be able to compare subsequent hits to reveal the multiple attempts at entering the password. The default value is
false
.
- For ReqSet and ReqAppend, the value to set or append can be specified
a couple different ways:
- You can use a literal string by setting Replace String to the desired text.
- You can pull data from the request or response using Section, Field, Value Name, Start Pattern or End Pattern or both.
- When using Start Pattern with one of these actions, the Repeat
Count is always set to
1
, which means that the first match is always used. - Ignore Special is always
true
for these actions when Section is specified. There is no special handling for the urlfield or cookie sections with these actions. - To clear the value for a field (name/value pair) without removing
the entire field, set Replace String to an empty value:
Replace String=
- All carriage-returns and linefeeds in the value string are replaced
with
\r
and\n
, respectively. - Privacy changes are queued and applied after all actions are complete,
which means that actions normally see the original data. ReqSet, ReqAppend
and ReqDelete keep track of field additions, changes and deletions,
so multiple changes to a single field can be done safely. For example,
you can add a field and then concatenate additional data to the value.
Changes made to field values are best done using ReqSet and ReqAppend.
- Since the Replace action can affect any arbitrary piece of data in the request or response, it is not included in this change tracking.
- When using Field or Value Name with ReqSet or ReqAppend, you should specify only a single field or value name. If there are multiple names, the value for the last found item is used.
- For a ReqSet or ReqAppend, you should avoid specifying only a section to retrieve the value, which results in the value from the last field (name/value pair) in the section used for the ReqSet or ReqAppend.