Rules

Property

Description

Enabled

True or False value which specifies whether this rule is active.

Tests

One or more test names which correspond to the names of test sections. The specified tests are evaluated to determine whether the actions is run for the rule. If no test is specified (and no embedded test specified as described below), then the actions are run for every hit.

TestOp

Logical operator to use when multiple tests are specified. Possible values are AND and OR.

• If TestOp=AND, then all tests must return True for the actions to be processed.
• If TestOp=OR, then the actions are processed if any of the tests return True.

Not

True or False value. If True, then the result of the test evaluation is inverted (logical NOT).

StopProcessing

True or False value that is indicating whether to stop processing further rules if this rule evaluates to True.

Actions

One or more action names which correspond to the names of action sections to process if this rule returns True.

ReqField

Name portion of a name-value pair. This can also be one of the following reserved names:

• TL_URLEXT
• TL_URLTAIL
• TL_VIRTUALDIR

ReqOp

Operation to perform - options are:

• EQ or =
• NE or != or <>
• GT or >
• LT or <
• CONTAINS
• PARTOF
• PARTOFLIST

ReqVal

Literal value or field name (set ReqValIsField=True for field name). When ReqOp=PARTOFLIST, this value must specify a list of values separated either by a semicolon or another delimiter (specified using ListDelimiter).

ReqValIsField

True or False indicating whether ReqVal contains a fieldname.

ListDelimiter

The character that is used to separate list items in ReqVal when you use ReqOp=PARTOFLIST. The default is a semicolon, ;.

CaseSensitive

True or False value indicating whether the searches for field names must be case-sensitive. Default is False. Setting this to True speeds up searches.

Tests

Property

Description

ReqField

Name portion of a name-value pair. This can also be one of the following reserved names:

• TL_URLEXT
• TL_URLTAIL
• TL_VIRTUALDIR

ReqOp

Operation to perform - options are:

• EQ or =
• NE or != or <>
• GT or >
• LT or <
• CONTAINS
• PARTOF
• PARTOFLIST

ReqVal

Literal value or field name (set ReqValIsField=True for field name). If ReqOp=PARTOFLIST, this value must specify a list of values that are separated either by a semicolon or another delimiter (specified by using ListDelimiter).

ReqValIsField

True or False indicating whether ReqVal contains a field name.

ListDelimiter

The character that is used to separate list items in ReqVal when ReqOp=PARTOFLIST. The default is a semicolon, ;.

CaseSensitive

True or False value that is indicating whether the searches for field names must be case-sensitive. Default is False. Setting this to True speeds up searches.

Not

True or False value. If set to True, then the result of the test evaluation is inverted (logical NOT).

Actions

Property

Description

Action

The action to take. Following are the values :

• Block - Blocks the matched data using the specified strike character.
• Encrypt - Encrypts the matched data and masks it with the specified strike character.
• Replace - Replaces the matched data with a specified text string.
• DropHit - Drops the current hit (no further action is taken). Any rule may have a drop hit action.
• DropResponse - Drops the response from the current hit.
• ReqSet - Sets or replaces the value for the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if is doesn't exist.
• ReqAppend - Appends to the value of the specified name/value pair in the request. Creates the name/value pair if it doesn't exist. Also creates the specified section if it doesn't exist.
• ReqDelete - Removes the specified name/value pair completely from the request. This does not remove the section, even if empty.

Key

key ID to use for encryption if Action=Encrypt.

Group

Group name (in the format domain\groupname) to use for encryption if Action=Encrypt.

Note: Use either Key or Group to specify the encryption key, not both.

Section

The section name of the data to act upon. If this is value that is set to response, then the response is processed. This can also be one of the following reserved names:

• urlfield - Performs the action for the specified ValueName (or all if ValueName is omitted) for values in the urlfield section, QUERY_STRING, query string in RawRequest (if present) and the query string in HTTP_REFERER and the Referer request header and request body in RawRequest (if present).
• cookies - Performs the action for the specified ValueName (or all if ValueName is omitted) for values in the [cookies] section, HTTP_COOKIE and HTTP_SET_COOKIE name-value pairs, Set-Cookies headers in the ResponseHeader section (if present), Set-Cookie headers in the response, and the [cookies] header in the RawRequest section (if present).
  Note: If a Section is not specified in an action, then the entire request buffer (REQ) is used.

IgnoreSpecial

True or False value that is indicating whether to ignore special handling when urlfield or cookies is specified for the Section. Setting this to True allows StartPattern or StartPatternRE to be used in the urlfield or cookies sections. Default is False.

Field

One or more optional field names (name portion of the name-value pair). If both Field and ValueName are omitted, then the entire section is blocked/encrypted. This can also be one of the following reserved names:

• body - If Section=response then, this value specifies the response body as the target. If Section=RawRequest, then the request body (if present) is processed.

ValueName

One or more names of values (in multi-value name-value pairs, such as HTTP_COOKIE) or the names of items when Section=urlfield or Section=cookies.

Invert

True or False value that is indicating whether to invert the action (perform on all fields or ValueNames EXCEPT the ones specified).

• If ValueName is specified, then all except the name(s) specified in ValueName are processed.
• If ValueName is not specified, then the name(s) specified for Field is/are excepted from the action.
  Note: This can only be used with Block, Encrypt, and Replace actions. StartPattern and StartPatternRE cannot be used with an invert action.

StartPattern

The starting string pattern to search for within the specified data. The data immediately following the matching pattern is processed. If StartPattern is used, then you must also specify either EndPattern or Length, unless you set Inclusive to True. When Inclusive=True, the StartPattern (and optional EndPattern) are blocked/encrypted as well. This is useful for blocking or encrypting a constant data string.

StartPatternRE

Regular expression version of StartPattern. This can be used to specify a standard regular expression to define the starting pattern to find. You can use either StartPattern or StartPatternRE, but not both.

EndPattern

The string pattern which signals the end of the data that is matched by a StartPattern. The data up to, but not including, the EndPattern is processed (unless Inclusive=True).

EndPatternRE

Regular expression version of EndPattern. This can be used to specify a standard regular expression to define the ending pattern to find. You can use either EndPattern or EndPatternRE, but not both.

Length

Used in lieu of an EndPattern or EndPatternRE, this value specifies the length of the data (in bytes) to process following a matched StartPattern (or StartPatternRE).

Inclusive

True or False value that is indicating whether the StartPattern (or StartPatternRE) and (optional) EndPattern (or EndPatternRE) are blocked or encrypted. Default is False.

RepeatCount

This can be used for actions that have a StartPattern or StartPatternRE to specify how many instances of data that is matching the pattern is processed.

ReplaceString

The string that is used to replace the original data when Action=Replace.

CaseSensitive

True or False value that is indicating whether the searches for field names and/or patterns must be case-sensitive. Default is False. Setting this to True speeds up searches.

StrikeChar

The character that is used to replace the original data that is blocked or encrypted. This can be any alphanumeric character or symbol not included in the following list:

• . (period)
• , (comma)
• / (forward slash)
• \ (backslash)
• [(left square bracket)
• ] (right square bracket)
• | (pipe)
• '(single quotation mark)
• " (double quotation mark)

StrikeLen

Optional length (in bytes) of strike data. This is the number of StrikeChar characters that are used to replace the original data (if Action=Block or Action=Encrypt).

• If StrikeLen is longer than the original data length, then more strike characters are added.
• If StrikeLen is shorter than the original data length, then StrikeLen characters are replaced with the StrikeChar and the remaining data is removed.
• If StrikeLen is a negative number, then the number of characters represented by the absolute value of StrikeLen is left as-is. For example, to leave the last four characters or a value untouched, set StrikeLen=-4.
• For more flexible options, see BlockingMask.

BlockingMask

An optional regular expression that specifies which characters in the found data are replaced with the strike character (does not apply to Replace action). All characters within a group (defined by parentheses) in the regular expression are replaced with the strike character. Characters that match part of the pattern outside of a group are not replaced.

For example, the following mask would block just the numbers in a Social Security Number, leaving the dashes visible:

BlockingMask=([0-9]{3})-([0-9]{2})-([0-9]{4})

This example would leave the first four digits of a credit card number visible:

BlockingMask=[0-9]{4}([0-9]*)

BlockingMask is used in lieu of StrikeLen. You can use one or the other, but not both.

Note: Be careful when you use BlockingMask. If the data does not match the regular expression that is specified for BlockingMask, then the data is not blocked or encrypted.

ReqSetSection

Specifies the section for the name-value pair for a ReqSet, ReqAppend, or ReqDelete action. ReqSetSection is required for these three actions.

ReqSetField

Specifies the name of a name-value pair for a ReqSet, ReqAppend, or ReqDelete action. ReqSetField is required for these three actions.

ReqSetResult

This option is used in conjunction with StartPatternRE to produce a formatted value for a ReqSet or ReqAppend action. The StartPatternRE expression should contain one or more "groups", defined by parentheses within the regular expression. ReqSetResult is a string containing literal text and placeholders for the data captured by StartPatternRE.

Examples:

StartPatternRE=name="(.*?)" value="(.*?)"
ReqSetResult=Field
{g1} value: {g2}

Would result in a following value like:

Field name value: Bob

The first placeholder, {g1}, is replaced with the value from the first group in the regular expression. {g2} gets the second value, and so on. The result string is then used as the value for the ReqSet or ReqAppend action.

Action notes

• For ReqSet and ReqAppend the value to set or append can be specified in different ways. You can either use a literal string by setting ReplaceString to the required text, or you can pull data from the request or response by using Section, Field, ValueName, StartPattern, StartPatternRE, EndPattern and/or EndPatternRE.
• When you useg StartPattern or StartPatternRE with one of these actions the RepeatCount is always set to 1 (the first match is always used).
• IgnoreSpecial is always True for these actions when Section is specified. There is no special handling for the urlfield or cookies sections with these actions.
• The value for a field (name/value pair) can be cleared without removing the entire field by using ReplaceString with no value:

  
  ReplaceString=

• All carriage-returns and linefeeds in the value string are replaced with \r and \n.
• Privacy changes are queued and applied after all actions are complete. This means that actions normally see the original data. ReqSet, ReqAppend and ReqDelete keep track of field additions, changes, and deletions, so multiple changes to a single field (such adding a field then concatenating addition data to the value) can be done safely. Since the Replace action can affect any arbitrary piece of data in the request or response, it is not included in this change tracking. Changes that are made to field values are best done by using ReqSet and ReqAppend.
• When you use use Field or ValueName with ReqSet or ReqAppend you must specify a single field or value name. If there are multiple names the value for the last item that found is used.
• Similar to the note above, you must avoid specifying only a section to retrieve the value for a ReqSet or ReqAppend. Doing so results in the value from the last field (name/value pair) in the section that is used for the ReqSet or ReqAppend.